Research

I will not write about Manti Te’o. I will not write about Manti Te’o. I will not write about Manti… ah hell, who am I kidding. Wednesday afternoon I was about to head out to meet a buddy for happy hour when he texted that he would be late because of getting caught up in the story (which had just broken). That was cool – I was in the middle of the same article. (If you don’t know what I’m talking about, this should get you up to speed. I admit I’m not the biggest pro sports guy in the world. I enjoy sports, especially football, and played in high school, but years of living in Colorado and spending my winter weekends hunting for fresh powder broke the habit. Living in Phoenix now, I have tried to get back into it, but even if I can snag a TV from my young kids to watch a game, the odds are very high that they will hunt me down to play with them. Seriously, I can’t even take a morning constitutional in peace anymore. Back to Te’o. It is barely conceivable to me that he wasn’t somehow in on it. If this was a catfish, it is one of the best in history (and Te’o should be sent back to community college for remedial reality training). Plus, his family also had to be in on it for their statements to make sense. And let’s not forget the lazy reporters who clearly made s–t up. No, Occam’s Razor likely applies, and Te’o had better sprint to Oprah’s couch before it cools down from Lance. That’s right, it’s liar’s week in the sports world. The buddy I met for happy hour works part time as a sportswriter, and our conversation naturally shifted from Te’o to Lance because I’m big into cycling. As the Lance saga continues I can’t but help be perplexed at the quintuple standard applied to different sports. A lot of people like to call cycling the dirtiest sport out there, but these days it has the strictest performance enhancing drug controls of any professional sport. Not that there still isn’t cheating – it is rampant. When I was out for the Tour last summer the rumor was that the only teams racing solidly clean were Garmin-Sharp-Barracuda (my hosts) and Sky. There were a lot of other clean riders, but more as individuals rather than being on a clean team that managed their own testing to keep things that way. And guess what? A rider from a clean team won the Tour despite battling the dopers. This was possible because the program limits the degree to which people can cheat. Unlike back in Lance’s day, the bio-passport system basically puts a hard limit on how much a rider can enhance without triggering alarm bells. Now go watch some football this weekend. If you think a 300+ pound lineman can legitimately runs a sub-5.0 40, I have a really cute girl on Facebook you should meet. Cycling gets a lot of guff because the riders get caught more, and for some reason people want clean riders. Maybe because, unlike football, a weekend cyclist can directly compare their stats to a pro. Talking with my sportswriter friend, he mentioned they have published articles on potential PEDs in football and no one cares. This despite the fact the increased player size and speed directly correlate to worse injuries and the current problems with traumatic brain injuries. We want our gladiators and we want them big. Sports is entertainment and Sports Center is no different than People Magazine in the end. We want our scandals, heroes, and blood sacrifices, no matter the costs. Just like our… —–, but I won’t go there. Crud. I meant this intro to end with humor. A linebacker, a cyclist, and Oprah walk into a bar… … never mind. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted by Reuters on Cisco’s network security competitiveness. Mike quoted in the Merc about Cisco’s network security (missed) opportunity. Adrian’s Dark Reading Post on DB Threats and Countermeasures. Rich’s excellent TidBITS post on Apple’s Security Efforts in 2012. Adrian’s Dark Reading post on Big Data Security Recommendations. Favorite Securosis Posts Adrian Lane: Emotional Whiplash. Mike nailed it. And I only saw the first and fourth quarters! Mike Rothman: Does Big Data Advance Security Analytics? Adrian wins buzzword bingo this week. But the post is important because both Big Data and Security Analytics will be front and center in a lot of security marketing this year. David Mortman: Don’t be a douche… So much for family friendly, eh, Mike? Rich: A different kind of APT. Mike totally stole this one from me. Other Securosis Posts The Fifth Annual Securosis Disaster Recovery Breakfast. My DHS Beats Your FDA. Understanding IAM for Cloud Services: Integration. Time to Play Nice with SCADA Kids. Beware of Self-Proclaimed Experts. Mobile Identity–WTF? Help Me Pick My Next Paper Topic. Bolting on Security – at Scale. Let’s Get Physical – Road Rules Edition. Happy Out of Cycle IE Patch Monday. You Can’t Handle the Truth. Favorite Outside Posts Adrian Lane: Five Mitzvahs of Cloud Computing. Leverage what you’ve got, point 4, is dead-on! Mike Rothman: Steak Drop. Physics FTW. If you ever asked yourself “From what height would you need to drop a steak for it to be cooked when it hit the ground?,” then you need to read this xkcd What-if? post. I wonder if the answer changes if you use a veggie burger? James Arlen: Great stuff in here: NERC CIP V5 is Coming. Places emphasis on the automation of data collection to enable compliant operations. More automation is useful – but much like with banking, you need to be able to do it by hand before you get infatuated with a system. David Mortman: Notes on distributed systems for young bloods. Rich: The Verge on Vegas casinos battling cheating. I’m fascinated by casino security. Research

Hey folks, Just a quick note that I am trying to decide between a few different topics for my next paper. If you have a moment, I could use your opinion. Which will take no more than 5-15 seconds when you click this link. The options are: BYOD Security Fundamentals Defending Cloud Data – Encrypting for Dropbox, Box.net, and Friends Defending Data in Cloud Infrastructures – IaaS Encryption and Data Security Defending Enterprise Data on Mobile Devices Other (please specify) I threw it out on Twitter and IaaS encryption took an early lead, which is interesting because I expected it to be BYOD. Thus I decided to double up and push it out through the blog. Thanks. Share:

Zero-day in the wild, in a popular exploit kit. From Brian Krebs: The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. Alienvault confirms: Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab. To the best of your ability, disable Java in browsers and keep it that way. Otherwise you need alternate compensating controls. No idea if EMET helps with this, but that’s one place to start looking. Share:

I can’t believe I forgot to post here when I put the article up on TidBITS, but here you go: Do You Need Mac Antivirus Software in 2013? While Macs aren’t immune to malicious software (malware), and we even experienced one reasonably widespread incident in 2012, malware on Macs is still not nearly common enough to recommend antivirus software for everyone. And while antivirus tools are effective against certain known attacks, they often don’t provide the level of protection people expect. … If Mac antivirus tools offered 100 percent effectiveness – or even 99 percent – I might take a different position. If we ever see massive volumes of malware, as happens in the Windows world, I might change my recommendations. But at this point, there are so few Mac malware infections, and antivirus tools are so limited, that for most users of current versions of OS X, antivirus doesn’t make sense. During the Flashback infection there were accusations that Mac users were too smug, or too ill-informed, to install antivirus software. But the reality is that antivirus tools offer only limited protection, and relying on antivirus for your security is as naive as believing Macs are invulnerable. Enterprises are a different story. Share:

It shouldn’t come as any surprise, but big financials are still suffering a wave of DDoS attacks. DDoS is like an accidental amputation – there is no question whether it’s a problem. The trick is to know ahead of time if you are on the list, and the best thing to do is keep an eye on your peers. Not everyone needs to invest proactively in DDoS protection, but you sure as heck need a plan and a vendor contact just in case. Especially if you are big, handle money, work with (or piss off) governments located “East” (Europe, Asia, Middle, whatever), or like to poke Anonymous. Update 1/9: According to the New York Times, a “former” gov official with connections says Iran is definitely behind the attacks. Backing up the rumors we’ve all been hearing from the start. Share:

ENISA released a solid BYOD/Consumeriation of IT guide. At first I was turned off by phrases in the executive summary like: Ensure that governance aspects are derived from business processes and protection requirements, and are defined before dealing with technology. But once you get into it, this is a great starter guide that includes both policy and technical pieces. Best part: a lot of examples and links to real world projects. Worst parts: the DLP bits don’t reflect what’s available (over-estimates); and some vendor-specific language. Share:

“Last year, one billion dollars was stolen in the U.S. by Romanian hackers,” says American ambassador in Bucharest, Mark Gitenstein. I expect to see this used in plenty of presentations and press releases in the coming months. If you use the number, you have to prove it is real. Good luck with that. Share:

A good update at Threatpost: Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski. More motivation to move to updated browsers, as difficult as that often is. I’m really hoping IE 10 can break this cycle a bit (and I bet Microsoft is as well). Still, IE 8 is only a bit over 3 years old, which isn’t all that ancient compared to XP. If you are stuck on old browsers, and have the capability, take a serious look at EMET. Kills most of these attacks cold. Share:

The Washington Post sort-of covers honeypots, but mixes in national security issues. But one paragraph is out of place, because the article doesn’t really cover strike-back: Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire – hackers who identify data as bogus may be all the more determined to target the company trying to con them. TL;DR: good guys are baiting systems with data, not just standing up honeypots. Then they can alert any time anyone touches the bait – there are a bunch of ways to do this. We talked a little about this last year. And yep, we are implementing it ourselves in a few places – no special security products needed. Don’t ask us where. Share:

For the short version, read Rob Graham at Errata Security. Google detected someone attempting a man in the middle attack using a certificate issued in Turkey. TURKTRUST issued two subsidiary Certificate Authority certs which allowed whoever had them to sign any certificate they wanted, for any domain they wanted. Yes, this is how SSL works and it’s a big mess (I talked about it a little in 2011). Google likely detected this using DNS Pinning. Every version of Chrome checks any Google certificate against a list of legitimate Google certificates, which they build into Chrome itself. If there’s a mismatch, Chrome detects and can report it. Nice, eh? That’s why Rob says don’t mess with Google. You try to MitM any of their domains, and if any users run Chrome they are likely to find out. Everyone else (who can) should do this. Share: