Research

Update: Amazon published some details. Less than 10% of AWS systems are affected, and the vulnerability will be disclosed October 1st. As suspected this is about Xen – not the bash vulnerability. Yesterday I received notice that Amazon Web Services is force rebooting one of my instances. Then more emails started rolling in, and it looks like many (or all) of them will be rebooted during a single maintenance window. It has been a few years since this happened, and the reason ties into how AWS updates the servers your instances run on. We actually teach this in our cloud security training class, including how to architect your own cloud so you might not have to do the same thing – with, of course, many caveats. My initial assumption was application of a quiet security patch, and that looks dead on: From @ClipperChip via Matt Green on Twitter: Amazon rebooting all AWS instances (https://t.co/xg2XoXDdEe) + an undisclosed advisory on http://t.co/PdLqk8qXSE http://t.co/Fo1beT7xrN 🙂 And here is what looks like that vuln: XSA-108 | 2014-10-01 12:00 | none (yet) assigned | (Prereleased, but embargoed) How AWS updates servers Amazon uses a modified version of the Xen hypervisor. Our understanding of their architecture indicates they do not support live migration. Live migration, available under VMware as vMotion, allows you to move a running virtual machine from one physical host to another without shutting it down. When you build a cloud, host servers consist of (at least) a hypervisor with management and connectivity components. Sometimes, as with OpenStack, you even have a usable operating system. All these components need to be updated periodically. Some updates require rebooting the host server. To update the hypervisor you typically need to shut down the virtual machines (instances) running on top of it. There are two common ways to manage these updates to reduce downtime: Update a host without any virtual machines running on it, then live migrate instances from a vulnerable host to a patched one. Then update the vulnerable host once all its instances are running elsewhere. If you cannot live migrate, do the same thing by shutting down and restarting the instances. If you built your cloud properly you can set a rule in the controller to not launch instances on the vulnerable host while preparing to reboot. Then the simple act of shutting down and relaunching the instance will automatically migrate it to a patched host. In case you didn’t realize, every time you shut an instance down and start it again you likely move to a new host server. That is just normal cloud automation at work. When AWS has a large security patch like this they cannot rely on all customers conveniently relaunching during the desired window, so they need to take a maintenance window and do it for all affected users. Simple reboots generally do not trigger a host migration because a reboot doesn’t actually shutdown the entire instance – the virtual machine just executes the operating system shutdown and reboot procedures, but the instance is never destroyed or completely halted. Many people don’t architect resilient servers to handle reboots, which is the problem. Or the reboots require some manual testing. This is why I am a massive fan of DevOps – its techniques provide extra resiliency for situations like this – but that’s for another post. Our cloud security training covers this, and one critical security requirement when building a private (or public) cloud is to understand your patching requirements and their implications for instances. For example if you architect for live migration you can reduce required reboots, by accepting different implications and constraints. Share:

Updated: I made a mistake and gave Akamai credit. Stephane doesn’t work for them – I misread the post. Fixed. Critical update: Red Hat confirmed their patch is incomplete, and patched bash is still exploitable. The technical term is “cluster fuck”. Anything you patch now will need to be repatched later. For critical systems consider the workaround in their post. For everything else, wait until your vendors release complete patches. Earlier today details of a vulnerability in the UNIX/Linux/OS X tool bash, discovered by Stephane Chazelas, became public with a disclosure and patch by Red Hat. It is called Shellshock, and it might be worse than Heartbleed. Most of you reading this are likely extremely familiar with bash, but in case you aren’t it is the most popular command-line shell program in the UNIX world, installed on pretty much anything and everything. From Red Hat: Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. You might be thinking that someone needs to log in before they can ever reach bash, so no big deal, right? Wrong. Access to bash is embedded in a ton of applications. From CGI scripts running on Apache web sites to all sorts of random applications. Here is the short explanation of why this is so bad, and why we will likely be dealing with it for years: bash is embedded and accessed in so many ways that we cannot fully understand its depth of use. Many systems you would never think of as having a command line use bash to run other programs. I have used it myself, a bunch, in programs I have written – and I barely code. We cannot possibly understand all the ways an attacker could interact with bash to exploit this vulnerability. As Rob Graham has discovered, this is likely wormable. That places it into Code Red/Nimbda territory. A workable bug that can exploit public web servers is scary. We don’t know for sure, Rob doesn’t know for sure, but it looks very very possible. Potential worms are like staring at the smoking volcano while the earthquakes stir your martini – they aren’t the sort of thing you can wait for definitive proof on before taking seriously. There are rumors the patch may be incomplete. There is already a Metasploit module. Gee, thanks guys… you couldn’t give us a day? I strongly suggest keeping up with Rob’s analysis. There is really only one option: patch. It isn’t a fancy patch, but fragile systems could still suffer downtime. And you may need to re-patch if the original patch turns out to be faulty, which is always terrible. I will patch my systems and keep my ears open for any updates. Don’t trust any security vendor who claims they can block this. Patching is the only way to fix the core problem, which likely includes multiple exploit vectors. I will give bonus points to anyone who finds a vendor using Shellshock in their marketing, which then turns out to have a vulnerable product. Any security product based on UNIX/Linux is potentially vulnerable, although not necessarily exploitable. I suspect the Microsoft Security Response Center is very much enjoying their quiet evening. Share:

Last night I spent four hours without my iPhone. Four conscious hours, to be specific. It was wonderful. I realize that may sound strange, but I bet the majority of you reading this nearly always have a phone within hearing range, if not actively grasped in your hand or stuffed in a pocket where you obsessively check it every now and then, when the slightest breeze triggers the vibration nerves in your upper thigh. Maybe the Apple Watch will fix that last one. Unlike most of you I have been living with pagers, radios, and other on-call devices since around 1991. Due to my involvement in emergency services, I was effectively on-call continuously for years at a time. No, I was not required to show up, but between paid and volunteer gigs you just get used to always being in touch. It was also an amazing way to get out of crappy dates. But somehow my public service commitment slowly transitioned to having my phone on or near me at nearly all times. Part of this is due to my inherent geekiness, some an effect of running my own business, a smidge from being a parent, and plenty from a developed habit that isn’t necessarily the most positive psychological development. Practically speaking I do need to have my phone near me quite a bit, especially during working hours. Even when I am blocking out distractions, the folks I work with need to be able to get a hold of me if something important comes up – especially since I manage all our IT. And with a family of 5 there is a lot to coordinate. I even need it on longer workouts for safety – I run in the desert, ride my bike far from home (sometimes an hour away by car) and go on excursions in new cities. Is my phone a necessity? No, I did all that before having a phone, but I also got into some dicey situations. But that doesn’t mean it needs to be all the time. I used to catch a break when I was on mountain rescues or ski patrol. But not only do I not participate in those any more, cell coverage is far better than you would expect unless you go really deep into the backcountry. Or need to make a call on AT&T in New York City. Last night I was in San Jose for the Cloud Security Alliance conference. After teaching a developer class I met up with a friend who is also a runner (better than me). We went out for a nice four miles, and decided to grab some beer and burritos without swinging back for our stuff (she had cash). Between the run, slow service, and finding food, it was nearly four hours before we re-attached our digital leashes. This wasn’t some sort of existential event. But it was nice to be out of touch for a while, and not worry about it. And even better that it didn’t involve some massive excursion to evade cell towers. A run, two beers, a burrito, and then back home. No Yelp to check reviews, Siri to find the closest burrito, email interruptions, or text messages. We survived, as did our children and businesses. Go figure. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in USA Today on payments. Rich also quoted in The Guardian on Apple Pay. Adrian quoted on Sentrix. Not that the rest of us know who that is. Adrian quoted on Apple Pay at TechTarget. Rich on the ThreatPost podcast with Dennis Fisher. I always love talking with him. He lets me use bad words. Favorite Securosis Posts Mike Rothman: Secure Agile Development: Process Adjustments. Adapting to the situation is always challenging. Adrian and Rich go into how to adapt Agile development when things need to be tuned a bit. Adrian Lane: Firestarter: Apple Pay. Rich: Fix Something. No matter how good you are at poking holes and pointing fingers, I respect those who try to fix things more. Other Securosis Posts Incite 9/17/2014: Break the Cycle. New Paper! The Security Pro’s Guide to Cloud File Storage and Collaboration. Favorite Outside Posts Mike Rothman: And so there must come an end. Really inspiring post on handling the end of life with grace. Charley documented her battle against cancer and wrapped up the story in a way that reminds us of the impermanence of everything. Adrian Lane: OWASP Top 10 is Overrated. The author is clear that this is flame bait, but correct that the focus has shifted to the top 10, without understanding reaching beyond that simple list. The point of OWASP was community awareness, but they stumbled across what everyone in the press knows: people want distilled information. Rich: I’m picking my own post on Apple Privacy at Macworld from back in June. Why? Well, Tim Cook’s statement on privacy might be one reason. Research Reports and Presentations The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Top News and Posts Home Depot hack may have exposed 56 million credit card numbers. I think we have our inflection point now. Ping Identity Scoops $35M To Authenticate Everywhere. The NSA Spied on German Telecoms. Chinese Penetrate TRANSCOM Amid Lack of Data Sharing. Long term penetration of US military logistics chain. Nice. Critical updates for Adobe Reader and Acrobat. Share:

After a short break, the boys are back and here to talk about Apple. No, not the new wrist-mounted toy, but the first mobile payment system you might actually use. Or so says Rich’s Macworld editor, based on his article title. The audio-only version is up too. Share:

You read the series, now it’s time to download the collected works. Okay, maybe you read the series of blog posts. And by “collected works” I mean “white paper”, but you get the idea. This is one I wanted to do a year or two ago, but the market wasn’t ready. Fortunately the services have advanced significantly and enterprise adoption is rapidly increasing. Before I link to the paper, an important note. I call these Cloud File Storage and Collaboration services, but Enterprise File Sync and Share is more commonly used. Sync and Share is limiting as a term, and includes non-cloud options I don’t consider in this paper. So I broke my usual rule and used a not-quite-universally-accepted term – hopefully I won’t regret it later. This paper covers all the basics: how they work, core security features, and advanced security features. You can download the paper here: The Security Pro’s Guide to Cloud File Storage and Collaboration (PDF) Landing Page Thanks to Box for licensing the content. Share:

Sometimes life sneaks up on you. Often when I am introduced to new clients and professional contacts, it is as “Analyst and CEO of Securosis; he used to be at Gartner”. I am fully cognizant of the fact that not only is Gartner where I started my analyst career, but also that my time and title there are the reason I was able to start Securosis. Not only did I learn how to be an analyst, but the Gartner name (as much as it pains some people) still carries a lot of weight. Leaving as a VP carries even more (a gift from my former boss, who knew he could never get my pay where it needed to be). It still carries weight to this day. We have a hell of a good brand in Securosis, but large swaths of the world have never heard of us. “Former Gartner” still helps open those doors. Even though the kind of work we do today carries very little resemblance to what I did back at the G. To be honest, I’m not even sure we are analysts anymore. It’s still part of what we do, but only one facet. Recently I have run into more of my former colleagues at various events. Black Hat, Boxworks, and other random analyst days and conferences. Most of them still work there, and all are shocked when I mention that I have now been running Securosis longer than I was at Gartner. This summer we passed the 7-year mark as a company. That’s exactly as long as I was at Gartner, and I wasn’t even an analyst for my first year. It’s longer than any other professional job I have held, and almost as long as I spent at the University of Colorado (8 years for my undergrad – it’s a Boulder thing). I still remember the first few months of the company. How I could barely sleep at night because I was so excited about what the next day would hold. Waking up early and jumping on my computer to blog, research, and spend entirely too much time on Twitter. Seven years is a long to maintain that enthusiasm. Since then I have added three children to my family, been through two major medical challenges, and built up the stress and overhead that comes from moving from a one-person shop with no clients… to one with partners, contributors, software platforms, and dozens of active clients (not counting all the one-off projects). I now literally lose entire days purely to dealing travel plans, invoices, and expenses. And really, no one with three kids under the age of five ever wakes up, on their own, with enthusiasm. But despite the overhead, chronic sleep deprivation, and stress of deadlines and commitments, this is the single most exciting time of my career. I may wake up a little rough around the edges, and feel like there is never enough time in the day, but I am engaged in my most compelling and challenging work since I first entered the workforce as an underweight security guard. About four or five years ago I placed a bet on cloud computing, and later on what is now known as DevOps. Those bets are paying off bigtime as those entangled disruptive forces trigger massive changes in how we deliver and consume technology. Aside from paying off financially (apparently there still aren’t that many people who really understand cloud and DevOps security out there), the work is… exciting. It’s a hell of a lot of fun. Every day I wake up not only with something new to learn, but with the confidence that I can use it to support my family as I gain and expand that knowledge. It is really hard to imagine a better job (without zero gravity or secret lairs). Although being interviewed by the Wall Street Journal on celebrity nudes was still kind of a surprise. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in the Wall Street Journal on the celebrity hacks. Rich’s article on the same issue at TidBITS. And a zillion other articles on the story. Mike quoted on context-aware security in SearchNetworking. Mike quoted on Wendy Nather being named a “Power Player” in Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted in the piece. Mike’s “Change Agent” – Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” that had an impact on how security has evolved… Check it out. Mortman Quoted about DevOps by the Hulminator. Chasing consistency across the wild seas of enterprise IT Favorite Securosis Posts Let’s be honest: we only had three posts by Mike this week, so we’ll call them all favorites. Other Securosis Posts Feeding at the Data Breach Trough. Incite 9/3/2014: Potential. PR Fiascos for Dummies. Favorite Outside Posts Mike Rothman: Infosec is a strange industry. Gunnar is right. There are many parallels between security and finance (another ‘strange’ industry). I’d add another to the list. Success in security is when nothing happens. If that’s not strange, I don’t know what is… Adrian Lane: 11 Reasons Email Is the Worst. This is fascinating – not for the insights into the limitations of email, but for its astute examination of human behavior. Worth the read! Rich: Not Safe for Not Working On by Dan Kaminsky. Dan really addresses the root issue here, at both psychological and practical levels. Must read. Gunnar: Hacker Breached HealthCare.gov Insurance Site. “If this happened anywhere other than HealthCare.gov, it wouldn’t be news,” a senior DHS official said.” Not the best excuse. Mortman: Bringing new security features to Docker. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of

A few days after returning from DEF CON my family experienced an inevitable life-changing event you cannot really prepare for. Kindergarten. That’s right. If you have been following this site since it started 8 years ago, you have watched as I went from a newly married dude in his 30’s traipsing around the world, to a… and I find this really hard to say… responsible parent with school-aged children. My life schedule is now officially defined by the State of Arizona and the Paradise Valley Unified School District. So long off-week Disney trips; hello PTO, early dismissal days, and parent/teacher meetings. To be honest, it’s pretty exciting. For some reason American society thinks that if you manage to keep your kids alive for the first five years, then the state should step up and provide a little support and education. Those of you who ran through the private daycare gauntlet know exactly what I am talking about. The thing my daughter is most excited about? The idea of a teacher sticking around for more than three months. We actually went ahead and got our 5-year-old accepted to a charter school that’s closer to our home than the school she would normally go to (due to the vagaries of subdivisions). It’s actually a normal public school, but they get a little extra funding and have a STEM program, and it is considered an in-district transfer. We got our 3-year-old into the pre-K program at the same school. I have already experienced some highs and lows with the STEM program. It was very important to me – even if my kids go into non-technology careers, a solid technical foundation will help in whatever they do. Also, I hoped going to a STEM-enhanced school would help compensate for the many issues with technology and science education for girls. I wasn’t certain how often they had STEM class, but quickly learned they attend every week. Not bad for a group of kids who generally cannot read yet. Then again, last week our conversation went like this. “How was school? What did you do?” “We did this thing called STIM?” “Awesome! That’s STEM! It’s science and technology! What did you do” “We colored a picture of a scientist.” “Oh.” This week they talked about what scientists do. It wasn’t terrible, and she learned that science is about asking questions. On the other hand, over the weekend we played Robot Turtles and started learning about how that board game teaches programming. And how we can use it to program our Lego robot. And the next day the kids begged me to do science, so I pulled out our polymer lab kit and we experimented with making fake snow, absorbing water, and making goo. The weekend before they asked to go the the Arizona Science Center and we had a total temper tantrum pulling them out of the paper airplane exhibit because her helicopter design wasn’t working. Heck, I took them to HacKid and they loved it, even the 3-year-old. I really hope the classes go hands-on soon, because talking about something is no way to foster lifelong interest. We live in a golden age for science and technology education. Instead of learning to program to move a fake turtle on a screen (let’s be honest, it was barely a pixel), our kids can move real robots in the real world… without knowing how to read. 3D printers, microscope lenses for phones, cheap bio sensors, drones, microprocessors – technology has never been more accessible (at least if you live in an affluent area – let’s be honest). My kids will get this all at home. Those are my hobbies, and I hope my love of science and technology influences them. It will be nice if school reinforces that, but I will not rely on it. There is one exception to my golden age comment – it’s a crappy time for chemistry sets thanks to terrorists and meth dealers. Or an overly-paranoid government and stupid DHS rules. Or something like that. On to the Summary: Favorite Securosis Posts Adrian Lane: CISO’s Head Asplode. Mike Rothman: Firestarter: You Can’t Handle the Gartner. I’ll admit it. I don’t watch other folks videocasts or listen to their podcasts. But I would watch/listen to ours. Mostly because it’s entertaining, and even helpful. And yes, we actually have a good time recording it. Rich: APT hits the ER. There is much more to this than you think. I know of some big healthcare breaches that originated overseas but haven’t been made public. Other Securosis Posts Incite 8/20/2014: Better get a Bucket. 21st Century Shakedown. Favorite Outside Posts Adrian Lane: 96% decline in NYC car theft. Interesting how a single innovation can thwart an entire class of security issues. Mike Rothman: Visualization for Security. We (as an industry) aren’t very good at visualization. So check out this deck from Raffael Marty, who is one of the leading visualization dudes in the industry. And learn some stuff. Rich: Apple begins storing user data in China. It’s going to be interesting to see how Apple handles user privacy overseas, considering their intense focus on privacy as a competitive differentiator here in the US. The fact is you simply cannot offer these services in some countries without opening them to the local government, in ways you don’t have to here, even with all our recent NSA concerns. Gunnar Peterson: Michael Daniel’s Path to the White House: CyberSec Coordinator Tells Why Lack of Tech Know-How Helps. What’s next? A Treasury Secretary who brags about not knowing about banks? You can’t make it up. I get that execs (a czar counts as an exec, right?) cannot be down “in the weeds” but you have to be able to tell a weed from a flower or a vegetable. Rich adds: this astounds me. It shouldn’t but it does, and the fact that he sees this as an advantage means he is completely unqualified for his job. Dave Lewis: The Puerile

After our little Black Hat and DEF CON induced hiatus, the boys are back to talk about the latest vendor suing Gartner. Yes, there is a Gartner Tax. No, it isn’t what you think. No, there is no pay for play. Yes, there are better ways to handle this. Yes, end users love Magic Quadrants no matter how much you trash talk them. And yeah, somehow we know a bit about how all this works from all sides. The audio-only version is up too. Share:

This is part 4 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also part 1, part 2, and part 3. Additional Security Features The core security features are a baseline which enterprise and business customers should look for when selecting a service for their organization, but the various services also offer a plethora of additional security features. Providers see this as a way to entice enterprise users onto their services, show advantages over traditional storage infrastructure, and create competitive differentiation. So security is used as both a competitive baseline and a differentiator, which is why we see new capabilities appear consistently. The odds are high this report won’t cover everything available by the time you read it. Universal search and investigation support As we described earlier, most cloud storage providers track all files, offer content search, and track every user and every device that accesses each file, including who viewed it in a web browser, downloaded a copy, or synced it with a computer or mobile device. That single central control point enables fairly powerful security capabilities. Worried a document leaked? Find all copies and the entire access history. An obvious caveat applies: once a file leaves the service it isn’t tracked, but at least you have a starting point to identify where it went. This is often one of the more difficult first steps in any leak/breach/abuse investigation, because traditional storage products rarely track this level of detail. Enhancing this is full content indexing and search. This isn’t purely a security feature, but enables you to search your entire cloud storage repository for keywords or other specific content. Some providers offer options for more advanced searches, particularly regular expressions. This is also useful for non-security reasons, so we expect indexing and searching capabilities to increase over time, but make sure you understand what your provider supports now. Another limitation is that providers don’t support every possible document type. For example, the odds are low that your CAD file format is supported today. Typically standard Office and text formats are supported – check with potential providers rather than assuming. Client-managed encryption All enterprise-class cloud storage providers encrypt data in their backend, but they manage the keys and can thus technically see your content. There are now third-party security vendors who encrypt cloud data using different approaches, and some cloud storage vendors are adapting their architectures to allow customers to encrypt directly within the service, but control their own keys. This is a different approach than using a third-party tool. Your cloud provider still handles the encryption in their backend but you have your own encryption keys. There are two major options: The cloud platform endpoint agents handle encryption operations synchronized with your enterprise key store. For this to work they need to include the capability in both workstation and mobile agents, and a mechanism for integrating key distribution. The cloud platform manages encryption in their backend, but opens mechanisms for enterprise users to provision and manage their own keys. There are a few ways to handle this technically, but typically it involves a Hardware Security Module (HSM) that is located in the cloud provider’s data center yet managed by the client, in a client data center, or at a infrastructure cloud provider. The important part is that the customer rather than the cloud provider, is the only one who can manage keys. Technically they are exposed in the cloud provider’s data center during cryptographic operations, but if architected correctly the risk of key exposure can be minimized. We won’t be surprised to see other approaches develop over time, but these are the two we know are on the market or soon will be. In both cases the customer needs their own key management infrastructure. One major warning: encrypting data with your own key breaks most or all collaboration features and any indexing/search, because the cloud provider cannot read your content. So it is something you should generally limit to your most sensitive data. Apply it to everything, and you may see users try to circumvent encryption so they can take advantage of platform features you do not support. Data Loss Prevention Full-text indexing and search, combined with a complete audit log of all activity associated with a file, meets our definition for basic content-aware DLP. In addition, a cloud provider can offer real-time monitoring of all content based on search terms, and tie them to enforcement policies. For example, a cloud storage provider could quarantine a file and alert an administrator any time a credit card number is found. This enables enterprise-wide content policies for the entire cloud storage platform. More advanced rules can apply by user or group, restricting only certain activities – perhaps “never share a file with PII or this keyword in it externally”, or any other combination of analysis and rules, such as device restrictions. DLP combines full content indexing and search with persistent policies for near-real time content-aware protection. The market for integrated DLP is still extremely young, and when available its features tend to be limited. Third party integration can provide more capability, and as with everything else we expect to see capabilities expand at a reasonable pace. In discussions with clients this seems to be a popular requirement, which will continue to push the market along. DRM/IRM Digital Rights Management, also known as Information Rights Management, is defined as encrypting data and then limiting its usage through rights policies. For example allowing someone to view a file but not email or print it. Cloud file storage and collaboration services often include in-browser readers, and granular rights policies, they can enable a limited version of DRM. Set a policy so a file can only be viewed in a browser and never downloaded, and you can restrict activity. But to be truly considered DRM the service should include in-browser protections against actions like Copy and screen

Side note: we are aware of the site issues and are working hard on them. There were major changes to the platform we use, and they conflict with our high-security setup. I think we should have it fixed soon, and we apologize. That’s what we get for having a non-DevOps-y legacy site. Right now it is 68F here in Boulder, with an expected high of 89F. A little toasty. It’s 92F in Phoenix, with an expected high of 109F. Yesterday they hit 115F, breaking the record. A little helly. Stupid humans and global warming. We are down to the last five days of our month in Boulder. Staring down 110F+ temperatures isn’t doing much to improve my enthusiasm about heading home. Then again, I’ll only be home for one night before I head off to nine days in Vegas for Black Hat and DEF CON. I think it might be a degree or two cooler there than in Phoenix, so I have that going for me. Which is nice. The end of a trip, especially an extended one, is always a melancholy time. I didn’t accomplish nearly everything I hoped, but still can’t complain. I caught up with most of my friends, enjoyed watching my girls take swim lessons at the pool I taught at 20 years ago, hit nearly all my favorite restaurants, and learned that there are a c**p-load of kid-friendly parks in Boulder. Kind of never noticed them pre-kids. On the downside I didn’t get nearly as many rides or runs in as I hoped. Some friends’ schedules simply didn’t work out. And although we snuck in a few family hikes, I really hoped to spend more time in the mountains. Then again, that’s sorta tough with 5, 3, and 1 year olds. I had two main goals coming into this trip, and completely accomplished both of them. First was to simply relax and let the mountain air reduce my stress level. Work-wise it actually turned into a pretty packed month, but something about this town helps me maintain my center. It isn’t anything metaphysical, just an effect of settling into a place where you feel completely comfortable. I also wanted to get my kids out of the heat, and give them a summer adventure with a lot of time in the outdoors. To build up good memories of a place that is so important to me. You know, blatantly manipulate my kids. It totally worked. But summer is coming to a close and it’s time to gear up for the fall sprint. The workload is looking pretty intense, but continues the trend of some of the most fulfilling projects of my career. It starts with our Black Hat cloud security training, where I have a bunch of new material for advanced students I am excited to try out. So I didn’t spend as much time at coffee shops playing aging hipster as I expected (thanks to JumpCloud for loaning me a desk during my trip), didn’t spend as much time wandering the hills, and missed a couple friends. But in the end everything went pretty much perfectly. I’m mentally refreshed and ready to attack, the kids have awesome memories and some new favorite places, and no one ended up in the ER this time, so I think we get to come back next year. All good. Assuming our air conditioning still works in Phoenix. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich did a webcast on cloud security (with a SaaS focus) for Elastica. Favorite Securosis Posts David Mortman: TI+IR/M: The New Incident (Response) & Management Process Model. Adrian Lane: Hacker Summer Camp. There is always something going on before Black Hat, and this year has its share of drama. Mike Rothman: Firestarter: Security Summer Camp. A little over a week out, and I’m starting to get fired up. Schedule locked down, liver primed, ready to descend on Vegas. Good thing I don’t need to worry about disclosures or anything… Rich: Cloud File Storage and Collaboration: Core Security Features. I am picking my own post because I could use some feedback on this one. Other Securosis Posts The 2015 Endpoint and Mobile Security Buyer’s Guide [Updated Paper]. TI+IR/M: Quick Wins. Cloud File Storage and Collaboration: Overview and Baseline Security. Incite 7/23/2014: Mystic Rhythms. TI+IR/M: The New Incident (Response) & Management Process Model. TI+IR/M: Threat Intelligence + Data Collection = Responding Better. Leading Security ‘People’. Favorite Outside Posts David Mortman: The Promises of DevOps. Mike Rothman: Losing my religion. Hadn’t thought about Silicon Valley as a land of zealots, but after reading Chris Shipley’s post I get it. Though in order to do the things you do at a start-up (or even a big tech company) you need to believe. And that’s certainly many folks’ definition of religion… Adrian Lane: This Box Can Hold an Entire Netflix. A surprisingly ‘server-hugger’ style approach to content delivery, from one of the most whole-hearted and innovative cloud companies out there. A very interesting read! Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Threat Modeling: Designing for Security Anti-Surveillance Camouflage for Your Face Apple’s Legal Process Guidelines: U.S. Law Enforcement Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices. Slides. Apple’s support note on the tools mentioned in the presentation above. As expected, they have legitimate uses and don’t circumvent security controls. It will be interesting to see whether iOS 8 changes in response. Share: