Research

The past week has been a bit of a whirlwind. Last Friday I flew out to Denver for a family thing, then transferred over to Boulder for a DevOps.com advisory board meeting, Camp DevOps (where I presented), and Gluecon. In between I spent a day with the friends who are loaning us their house for the month of July (while they caravan around the US with their kids), snuck in a 30 mile bike ride and 5 mile run, and hit some of my favorite Boulder restaurants (SouthSide cafe, Southern Sun, & Mountain Sun). I also learned I have a bad habit of telling people I’m “from Boulder but I live in Phoenix” when they ask. Camp DevOps was a really great event on multiple levels. First it was pretty great to be back on the University of Colorado campus. I spent 8 years there as an undergrad, and worked everything from low-level student jobs to full-time staff. It is where my IT career started, and I loved getting back and having the opportunity to share some of what I’ve learned in the decades since. Alan Shimel put on a solid first-time event. The very first track talk resolved an issue I have been researching (sending backups and logs to Amazon S3), and I picked up plenty of tidbits through the day. The Boulder tech community has a great vibe. It is very supportive in a way that is hard to replicate in larger cities which don’t shut down on powder days. Gluecon in Denver was also a solid show, although I wish I didn’t have to bail out early in an attempt to avoid some bad weather (more on that in a moment). Camp DevOps was also slightly intimidating for me personally. I was giving a technical security talk to a bunch of developers. The challenge was to keep their interest, provide relevance, and meet their deep content expectations. According to the feedback, I was right on target. And based on other sessions I attended, I have rebuilt a lot of skills I lost when I moved more into the analyst world. We in the security community often talk about developers like we do about Mac users. We assume they don’t care about security or prioritize it. In both cases, as I have become part of these communities I realized that they do care about security, but within a different context. It has to meld with their primary priorities, and we can’t harangue or insult them for their naivete. Participate, don’t preach, and you get a very positive reaction. Everyone wants to stay safe. And speaking of staying safe, Adrian left the event right in time to dodge a tornado at the Denver airport. We were in different terminals when the tornado warning hit, and Adrian texted that he was evacuated to the shelter as I started to wonder if my terminal… was less important. About 10 minutes later we got the order, and as a well-trained emergency responder I found a big window right next to one of the shelter areas. I joined the crowd gawking as the storm clouds started rotating overhead and the hail moved in, followed by blue skies. The tornado touched down 8 miles away, and my flight took off only an hour late. Oh well – I was really hoping to knock that one off the bucket list. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in Do you really think the CEOs resignation from Target was due to security? Favorite Securosis Posts Adrian Lane: Recitals. “The FUD is strong in this one” Mike Rothman: Firestarter: The Wife-Beater (t-shirt) edition. No spouses were harmed in the production of this week’s Firestarter. But we were able to give Adrian a hard time about his attire before we started recording. Which was full of win. The actual video cast was pretty good too, even though Rich was mostly pixelated. Rich: CEO on Line 2. Other Securosis Posts When Security Services Attack. Favorite Outside Posts Adrian Lane: Chip and Skim: cloning EMV cards with the pre-play attack. I am not certain how viable this attack is, but if it’s true you can use an arbitrary nonce value as part of a replay attack, this is a serious flaw. Mike Rothman: Buffett: Teach kids financial literacy to spark entrepreneurship. Adrian and Gunnar’s idol (and I’m a fan myself) has some great perspective on teaching kids about money. This sums it up: “Financial literacy is a base requirement like spelling or reading or something of the sort that everybody should acquire at any early age.” Yup. Rich: U.S. Companies Hacked by Chinese Didn’t Tell Investors (via The Verge). I still believe many, if not most, breaches aren’t reported – even when there is a legal requirement. I have been told in multiple cases that the companies determine it is in their interest not to disclose. Often they use the law enforcement investigation loophole. Gal: Lifelock deletes user data over safety concerns. Then Goldman downgrades them over concerns that their app wasn’t PCI compliant. Security and compliance has impact on the larger business… duh. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts eBay Urges Password Changes After Breach ICS-CERT Confirms Public Utility Compromised Recently. NSA Reform Bill Passes the House–With a Gaping Loophole. Buzzkill: FBI director says he was joking about hiring weed-smoking hackers. There go the Washington and Colorado FBI offices… New IE8 0-day by ZDI. Share:

We apologize for the quality of this week’s show… but Rich is on the road and can’t seem to understand the word ‘bandwidth’. Assuming you are willing to put up with us, watch us amuse ourselves over FBI wanted posters with Chinese army members on them. Then we debate the sometimes-sorry state of 95% of the 863 security cons in the world. The audio-only version is up too.   Share:

A lot is going on in security land, so Rich, Mike, and Adrian return with another 3 for 5 episode. Three stories, five minutes each, all the sarcastic bite in a convenient package. The audio-only version is up too.   Share:

Rich here. A quick mention: I will run a security session at Camp DevOps in Boulder on May 20th. I am looking forward to learning some things myself. My wife and I spent this past weekend up in Flagstaff, AZ for our anniversary. I am not much of a city guy, and am really much happier up in the mountains. There is just something about the thin air that lifts my spirits. Our home is on the Northwest corner of Phoenix, with easy access to the hills, so Flag is a frequent getaway. It has mountains, half a dozen craft breweries, a compact downtown with surprisingly good food, and a place called “Hops on Birch” – what’s not to like? The best part (that I will talk about) was walking into a coffee shop/bar around lunchtime and realizing it was where all the local bartenders congregate to recover. We learned a lot about the town while sipping Irish coffees. Scratch that – the best part was ditching the kids. And walking to three of those craft breweries before ending with dinner at the Thai place. But top three for sure. As a researcher sometimes I forget that what seems blatantly obvious… isn’t. Take the reports today about Apple revealing what data it can share with law enforcement. I figured it was common knowledge, because Apple’s security model is pretty well documented, and I even lay out what is protected and how in my iOS security paper. But most reports miss the big piece: Apple can access the file system on a passcode protected device. Anyone else needs to use a jailbreak technique, which I find interesting. Especially because jailbreaks don’t work on recent hardware without a passcode. I had a pretty cool moment this week. I was writing an article on security automation for DevOps.com. I didn’t have the code for what I wanted, and it involved something I had never tried before. It only took about 20 minutes to figure it out and get it working. My days as an actual coder are long over, but it feels good to have recovered enough knowledge and skills that I can pinch hit when I need to. But it didn’t last long. I spent about 12 hours yesterday struggling to repair one of our cloud security training class (CCSK) labs. We have the students pick the latest version of Ubuntu in the AWS user interface when they launch instances, and then insert some scripts I wrote to set up all the labs and minimize their need for the command line. It pains me, but a lot of people out there get pissed if you force them to type in a black box instead of clicky-clicky. Thinking is hard and all. Ubuntu 14.04 broke one of the key scripts needed to make the labs work. I started debugging and testing, and for the life of me couldn’t figure it out. Nothing in logs, no errors even in verbose mode. I quickly narrowed down the broken piece, but not why it was broken. Running all the commands manually worked fine – it was only broken when running scripted. MySQL and Apache take a lot of domain knowledge I don’t have, and the Googles and Bings weren’t much help. Eventually I realized restarting MySQL was dropping the user account my script added. By changing the order around I got it working, but I still feel weird – I don’t know why it dropped the account. If you know, please share. On the upside I made the scripts much more user-friendly. I thought about completely automating it with all the DevOps stuff I have been learning, but the parts I have in there are important to reinforce the educational side of things so I left them. So a great weekend, fun coding, and a reminder of how little I really know. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in “Do you really think the CEOs resignation from Target was due to security?” Adrian and Mort speaking next week at Secure360. Rich with Adam Engst at TidBITS on the iOS Data Protection bug. Favorite Securosis Posts Adrian Lane: Firestarter: There Is No SecDevOps. The boys did a nice job with this one – and Mike got all existential! That mindful stuff must be having an effect. Mike Rothman: Firestarter: There Is No SecDevOps. I get to say “Security must lose its sense of self in order to survive,” in this week’s Firestarter. That’s all good by me. We were a little light this week – sorry about that. Big projects, travel, and deadlines have been ongoing problems. But heck, we still blog more than nearly anyone else, so there! Other Securosis Posts Incite 5/7/2014: Accomplishments. New Paper: Advanced Endpoint and Server Protection. Favorite Outside Posts Adrian Lane: Shifting Cybercriminal Tactics. You may be tired of cyber security reports, but this one from MS is a quick read – and the change in tactics is a sign that MS’ efforts on trustworthy computing are working. Rich: The Hunt for El Chapo. I have been on a real crime story kick lately. Mike Rothman: Antivirus is Dead: Long Live Antivirus! Krebs goes on a rant about how attackers test their stuff before attacking you with it, and that is a big reason AV doesn’t work well any more. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts What Target and Co aren’t telling you: your credit card data is still out there. Network Admin Allegedly Hacked Navy While on an Aircraft Carrier. Serious security flaw in OAuth, OpenID discovered. How the Target CEO resignation will affect other execs’

Adrian is off at the altar of Buffett (the other one – not the one I wear a coconut bra for), so Mike and I delved into SecDevOps, triggered by a post from Andrew Storms over at DevOps.com. This is where the world is heading folks – you might as well prepare yourselves now. The audio-only version is up too.   Share:

After missing a week, Rich, Mike, and Adrian return to talk about birthdays, the annual Verizon Data Breach Investigations Report, and child-induced alcohol consumption. The audio-only version is up too.   Share:

Rich here, Travel is about as close as any of us get to a time machine. Leave home, step into an airport, and you step out of your life, even in our hyper-connected world. Sure, you are still on email, still talking to your family over the phone or Skype/FaceTime, and still surrounded by screens spewing endless worthless updates on the tragedy du jour, but fundamentally you are cut off. From your normal life, daily patterns, and state of mind. It isn’t ‘bad’, but it is unavoidable – no matter how closely you hew to your familiar habits. Can you guess I am writing this Summary on an airplane? Yeah, go figure. Yesterday I finished the last trip on a string of travel that has kept me moving nearly every week since before the RSA conference in February. To be honest I haven’t really had a break since sometime before Thanksgiving. On top of the travel I have finished some of the more intense yet fulfilling research and projects of my career. It is cool to go from my first little 30-minute cloud presentation four or five years ago, to advising cloud providers on their technical security architectures and controls. I now get two weeks in a row at home before I knock out my next couple trips, with no behind-schedule project deliverables hovering on the horizon. While travel disconnects you from your life, it also spurs innovation and creativity by placing you in new environments, making new personal connections, and providing ample time for deep thoughts. Throughout this travel binge I have been speaking to tons of security and non-security IT pros throughout the world, getting a really good feel for what is happening at multiple levels of the industry. Mostly in my focus areas of cloud and DevOps. One thing that has popped out is that most cloud providers… aren’t. I have been seeing a ton of companies advertising themselves as Infrastructure as a Service, when they are really little more than remote hosting/colo options. They don’t included any autoscaling capabilities, and they tend to define ‘elastic’ as “click a bunch of stuff to launch a new virtual machine by hand”. Digging deep; some of them lack the fundamental technologies needed to even possibly scale to the size of an Azure, Google, Rackspace, or AWS; and a few poop their pants when I start going into the details. It is going to be interesting, and do your homework. The next tidbit is that many large enterprises are dipping their toes into the cloud, but most of them really don’t understand native cloud architectures so they stick with these non-elastic vendors. There is nothing inherently wrong with that but they don’t get the resiliency, agility, or economic benefits of going cloud native. I call them “cloud tourists”. Everyone needs to start someplace, and who am I to judge? But as usual there is a dark side. Non-elastic vendors are pushing not only false promises but a lot of misinformation in hopes of knocking off AWS (mostly). Factually incorrect information that misleads clients. I think I will do a blog post on it soon, either here or at devops.com because it is the kind of thing that can really cause enterprises headaches. Looking at the big analyst research, most of them fundamentally don’t understand the cloud and aren’t helping their clients. Lastly, one of the most rewarding lessons of the past few months has been the realization that my research on the cloud and Software Defined Security is dead on target. I am working the same problems as many of the major cloud-native brands – albeit not with their scale issues. I am coming up with the same answers, and reflecting their real practices. That is always my biggest fear as an analyst – especially going hands-on again – and it is a relief to know that the work we are publishing to help readers implement cloud security and DevOps is… you know… not analyst bullshit. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Sign up for our Cloud Security Training at Black Hat! Rich quoted on Mac security in USA Today. Mort quoted at DevOps.com. Mort wrote more on DevOps myths. Favorite Securosis Posts Mort: Understanding Role Based Access Control: Advanced Concepts Mike: Friday Summary: The IT Dysfunction Issue. There may be something to this DevOps thing. I’m glad Adrian (and Rich) like the Phoenix Project. It offers a quick glimpse into the future of provisioning/delivering value to customers through technology. Rich: Pass the Hemlock. I view it a little differently, taking survival lessons from my full-time paramedic days. The patient is the one who is sick, not you. Empathize, but maintain detachment. You invest yourself into work, but at the end of the day there are things you can’t change. If that gets to you too much, move on. Rich #2: Verizon DBIR 2014: Incident Classification Patterns. Other Securosis Posts Incite 4/23/2014: New Coat of Paint. DDoS-fuscation. Favorite Outside Posts Rich: It’s time for the FCC to stand up for Americans instead of ruining the internet. I realize the U.S. political system is no longer by and for the people, but this is an incredibly anti-business stance that sacrifices all businesses to help out a few. Mort: On Policy in the Data Center: The policy problem. Mike: Choose Your Own DBIR Adventure. Kudos to our buddy Rick Holland (congrats on the new baby BTW), who between changing diapers managed a good summary of the DBIR. He even has a section about how to use the DBIR (that seems familiar – I wonder why…). But flattery via imitation aside, Rick’s perspectives on the DBIR are solid. Gunnar’s World Gunnar had a bunch of related links, so we putting them all together in his words: I have one theme with a couple of links “If you are competing with Microsoft, which is to say you are in the technology business – have a look at the track record under Satya Nadella so far – sh*t just got real.” Azure Beyond Windows Beyond

In this week’s Firestarter the team makes up for last week and picks three different stories, each with a time limit. It’s like one of those ESPN shows, but with less content and personality. The audio-only version is up too. Share:

Last week we held a wake for Windows XP. This week we continue that trend, as we discuss the end of yet era – coincidentally linked to XP. Last week the venerable Thunderdome of security lists bid adieu, as the Full Disclosure list suddenly shut down. And yes, this discussion is about more than just one email list going bye-bye. The audio-only version is up too. Share:

We are always pretty happy-go-lucky around here, but some days we are really happy. Today is one of those days. As you probably grasped from the headline, we are insanely excited to announce that Jennifer ‘JJ’ Minella is now a Contributing Analyst here at Securosis. JJ has some of the deepest technical and product knowledge of anyone we know, on top of a strong grounding as a security generalist. As a security engineer she has implemented countless products in various organizations. She is also a heck of a good speaker/writer, able to translate complex topics into understandable chunks for non-techie types. There is a reason she worked her way up to the executive ranks. JJ also has one of the most refined BS sensors in the industry. Seems like a good fit, eh? This is actually a weird situation because we always wanted to have her on the team but figured she was too busy to ask. Mike and JJ even worked together for months on their RSA presentation. It was classic over-analysis – she didn’t hesitate when we finally brought it up. Okay, probably over beers at RSA, which is how a lot of our major decisions are made. JJ joins David Mortman, Gunnar Peterson, James Arlen, Dave Lewis, and Gal Shpantzer as a contributor. Mike, Adrian, and I feel very lucky to have such an amazing group of security pros practically volunteer their time to work with us and keep the research real. Share: