Research

Between new initiatives like cloud computing, and new mandates due to the continuous onslaught of compliance, managing encryption keys is moving from something only big banks worried about to something popping up among organizations of all sizes and shapes. Whether it is to protect customer data in a new web application or to ensure that a lost backup tape doesn’t force you to file a breach report, more and more organizations are encrypting more data in more places than ever before. And tying all of this together is the ever-present shadow of managing all those keys. In our Pragmatic Key Management for Data Encryption paper we highlighted some of the sins of the past that made key management painful, but showed how new strategies and tools can cut through those roadblocks to make key management a much more (for lack of a better word) manageable process. In the paper we identified four strategies for data encryption key management: Manage keys locally. Manage keys within a single application stack with a built-in key management feature. Manage keys for a silo using an external key management service/server/appliance, separate from the data and application stacks. Coordinate management of most or all keys across the enterprise with a centralized key management tool. We called these local, application stack, silo, and enterprise key management. Of those four strategies, the last two introduce a dedicated tool for key management. This series (and the eventual paper) will dig in to explain the major features and functions of a key manager, what to look for, and how to pick one that best fits your needs. *Why use a key manager?** Data encryption can be a tricky problem, especially at scale. Actually, all cryptographic operations can be tricky, but to keep our focus we will limit ourselves to encrypting data rather than digital signing, certificate management, and other uses of cryptography. The more diverse your keys, the better your security and granularity, but the higher the complexity. While rudimentary key management is built into a variety of products – including full disk encryption, backup tools, and databases – at some point many security professionals find they need a little more power than what’s embedded in the application stack. Some of the needs include: More robust reporting (especially for compliance). Better administrator monitoring and logging. Flexible options for key rotation and expiration. Management of keys across application components. Stronger security. Or sometimes, as with custom applications, there isn’t any existing key management to lean on. In these cases it makes sense to start looking at a dedicated key manager. In terms of use cases, some of the sweet spots we’ve found include: Backup encryption, due to a mix of longevity needs and very limited key management implementations in backup products themselves. Database encryption, because most database management systems only include the most rudimentary key management, and rarely the ability to centrally manage keys across different database instances or segregate keys from database administrators. Application encryption, which nearly always relies on a custom encryption implementation and, for security reasons, should separate key management from the application itself. Cloud encryption, due to the high volume of keys and variety of deployment scenarios. This is just to provide some context – many of you reading this probably already know you need a dedicated key manager. If you want more background on data encryption key management and when to move on to this category of tools you should read our other paper first, then hop back to this one. For the rest of you, the remaining posts in the series will cover technical features, management features, and how to choose between products. Share:

Rich here. If memory serves, I completed my first First Aid/CPR certification when I was around 10. I followed up with lifeguard at 16, ensuring myself a few years of employment as a seasonal professional volleyball player. I completed my EMT and 19 after being dumped by my first girlfriend, when I needed a way to occupy my free time. For some reason it’s hard to get insurance for 19 year-old-males driving things with lights and sirens, so I didn’t get onto my first fire department or ambulance company until I was nearly 21. I followed that up with paramedic at 22, and since then have been trained, worked as, and/or certified in everything from dive rescue, mountain rescue, and ski patrol to WMD and national disaster medical response. That’s over 20 years of being an active emergency responder at the professional level, and 25 if you count sitting in a chair, getting sunburned, and pretending I was cool like on Baywatch (well, after Baywatch started). So I am struggling to deal with the fact that as the CEO of a startup and the father of 2.4 young children, my response days are probably on hold for a bit. My EMT expired a few months ago and I don’t have the time to go to a refresher class. This is the second time since I was 19 I have let it drop, the previous time also when I was busy as heck at work. I’m still technically on a federal response team, but without my EMT they are looking at slotting me into IT… where my job will be to fix people’s computers. I. Cannot. Handle. That. Besides, I can’t take off for the minimum 2-3 week deployments anymore. Giving up part of your identity, for however short a period, is never easy. Not to pick on people who dally with their EMT on weekends, but I worked On The Job at the full-time professional level, and have been in emergency services a lot longer than IT. Heck, my computer was a Commodore 128 when I first started in EMS. I would have killed for an iPhone and iPad to fill the hours on some of the slower shifts. “Siri – calculate the drip rate for digoxin on a 172 lb patient with rapid atrial fibrilation” “Let me find that for you Rich… Willie Davis played center field for the 1972 Dodgers” “No dammit, he’s dying!” “Now playing ‘Staying Alive’ by the Bee Gees” Maybe that wouldn’t have been so good. I can live without the lights and sirens, but I miss being an active part of the community. I miss cooking meals in the firehouse, drinking Crown Royal on the rocks in the locker room after a cold ski patrol shift, or simply bullshitting for hours on end with my partner in the ambulance parked on the street corner. Yes, there was the bad, but my kids puke on me far more than any patients ever did. But never underestimate the appeal of the Brotherhood. But I’m co-running a successful company and a happy family. There is absolutely no way I can balance the needs of those priorities with the demands of even a volunteer responder position. I try to be honest with myself, and the truth is I haven’t really been active since we had our first daughter. I could try and cling, but all I’d do is be bad at everything. So it’s time for a break. At some point work will settle down and the kids will be okay with Dad being gone for a shift every now and then. I’ll need to redo a lot of training, but there’s nothing wrong with that. And I’ll still totally abuse my background and use firefighting and rescue anecdotes in every presentation I can stuff them into. Thanks for letting me vent. I love a semi-captive audience. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Nothing I could find. No one loves us any more. Favorite Securosis Posts Adrian Lane: US Returns Fire in Huawei/ZTE Report. I’ve picked this as Fav internal, both for Rich identifying the pressure point as well as Huawei will be in the news for a long time. It’s not just the U.S. reaction, but about a dozen other countries and about half the firms that work with Huawei have made similar claims. Rich: Defending Against DoS Attacks: Defense Part 1, the Network. I got crap for seeming to dismiss the recent DoS attacks. It wasn’t that I dismissed their importance, but not everyone is in the same crosshairs. DDoS has been a problem for a while but we see a massive uptick in interest, for very valid reasons. Other Securosis Posts Defending Against DoS Attacks: Defense, Part 2: Applications. Incite 10/10/2012: A Perfect Day. Favorite Outside Posts Adrian Lane: Designing for failure may be the key to success. You need to be a database and language processing geek to appreciate this, but IBM Fellow Bruce Lindsey clearly sees the inner workings of data processing systems and how all the pieces fit together. Not for everyone, but an interesting view on designing software for unexpected outcomes. Rich: Spaf on the anti-science side of political rhetoric. I’m bordering on getting political by linking to this, but the important part for me is the importance of science and critical thinking. Research Reports and Presentations The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Understanding and Selecting Data Masking Solutions. Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks. Implementing and Managing a Data Loss Prevention Solution. Defending Data on iOS. Malware Analysis Quant Report. Top News and Posts Prepaid Enters Mainstream. Trying to find the consumer benefit here – I see a medium open to fraud and fees at consumers’ expense. Speaking of Huawei, hacker shows ease of gaining router access. Thousands of student records stolen in Florida breach. Google patches Chrome within 24 hours of bug

I had a call today with a Reuters reporter about the Huawei/ZTE deal being spiked by the US government. To be honest, there’s an aspect of this story I assumed someone else would mention first, but I haven’t noticed it being explicitly stated anywhere yet. It’s a simple story: China hacks the crap out of the rest of the world. The world doesn’t do dick, due to a lack of real ability to apply meaningful consequences. Big Chinese business wants to expand globally. US (and probably the rest of the world) says “Ah ha!” I don’t know if Huawei and ZTE are a real risk, rather than a potential security risk (which they certainly are), but it doesn’t matter. This is all about consequences, and no one in the US government gives a crap if Huawei gets caught in the middle. In fact it would be awfully nice if those executives pressured their own government to back down. The real risk of the Huawei/ZTE deals don’t matter at this point – it’s all about what few consequences the US can create for the Chinese government. Share:

There was a lot of big news this week in the security world, most of it bad. Even if you skip the intro, make sure you read the Top News section. Rich here, Growing up I was – and this might shock some of you – a bit of a nerd. I glommed onto computers and technology pretty much as soon as I had access to them, and when I didn’t I was reading books and watching shows that painted wonderful visions of the future. I was a hacker before I ever heard the word, constantly taking things apart to see how they worked, then building my own versions. Technology is thus very intuitive to me. I never had to learn it in the same way as people coming to computers and electronics later in life. I began programming so early in life that it keyed into the same (maybe) brain pathways that allow children to learn multiple languages with far more facility than adults. While my generational peers are far more comfortable with technology and computers than our parents, I generally still have a leg up due to my early immersion. I naturally assumed that the generations following me would grow up closer to my experiences than my less geeky peers. But much to my surprise, although they are very comfortable with computers, they don’t have the damnedest idea of how they work or how to bend them to their own will. Unless it involves cats and PowerPoint. Lacking teachers who understood tech, they grow up learning how to use Office, not to program or dig into technology beyond the shallowest surface levels. As I have started raising my own kids, I worry about how to get them interested in technology, and algorithmic thinking, in a world where iPads put the entire Disney repository a few taps away. I’m not talking about forcing them to become programmers, but taking advantage of their brain plasticity to reinforce logical thinking and problem solving, and at least convey a sense of deeper exploration. This really did worry me, but over the past few months I have realized that as a parent I have the opportunity to engage my children to degrees my parents couldn’t possibly imagine. It was a big deal when I got my first Radio Shack electronics kit. It was even a bigger deal when I made my first radio. My kids? This past weekend my 3.5 and 2 year old got to play with their first home-built LEGO robot. Yes, I did most of the building and all the programming, but I could see them learning the foundation of how it worked and what we could make it do. Building a robot to play with our cat is a hell of a lot more exciting than putting a picture of a cat in a PowerPoint. This is barely the start. I grew up pushing ASCII pixels on screens. They will grow up programming, and perhaps designing, autonomous flying drones with high-definition video feeds. I grew up making simple electric candles that would turn on in a dark room. They will be able to create wonderful microcontroller-based objects they then embed into 3-D printed housings. There’s no guarantee they will actually be interested in these things, but social engineering isn’t just for pen testing. Hopefully I can manipulate the crap out of them so they at least get the basics. And, if not, it means more stock fab material for me. I’m biased. I think most of my success in life is due to a combination of logical thinking, the exploratory drive of a hacker, and a modest facility with the written word. As a parent I now have tools to teach these skills to my children in ways our parents could only dream about. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on the myth of cyberinsurance. Mike’s Security Intelligence post at Dark Reading. Favorite Securosis Posts Adrian Lane: My Security Fail (and Recovery) for the Week. Gave me a moment of panic. Mike Rothman: Securing Big Data: Architectural Issues. This series is critical for you to learn what’s coming. If it hasn’t already arrived. Rich: David Mortman’s Another Inflection Point. The more we let go of, the more we can do. Other Securosis Posts Defending Against DoS Attacks: The Attacks. Incite 9/27/2012: They Own the Night. New Research Paper: Pragmatic WAF Management. Favorite Outside Posts Adrian Lane: OAuth 2.0 – Google Learns to Crawl. For someone learning just how much I don’t know about authorization, this is a good overview of the high points of the OAuth security discussion. Mike Rothman: 25 Great Quotes from the Princess Bride. 25 YEARS! WTF? I don’t feel that old, but I guess I am. Take a trip down memory lane and remember one of the better movies ever filmed. IMHO, anyway. Rich: Connect with your inner grey hat. The title is a bit misleading, but the content is well stated. You need to change up your thinking constantly. Research Reports and Presentations Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Understanding and Selecting Data Masking Solutions. Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks. Implementing and Managing a Data Loss Prevention Solution. Defending Data on iOS. Malware Analysis Quant Report. Report: Understanding and Selecting a Database Security Platform. Top News and Posts The big news this week is the compromise and use of an Adobe code signing certificate in targeted attacks. Very serious indeed. Banks still fighting off the Iranian DDoS attacks. OpenBTS on Android. This is the software you use to fake a cell phone base tower. Smart grid control vendor hacked. Yes, they had deep access to their clients, why do you ask? An interview with the author of XKCD. Sudo read this article. PHPMyadmin backdoored. PPTP now really and truly dead. More Java 0day. Seriously, what the hell is going on this week? And to top everything off, a Sophos post

I remember sitting at lunch with a friend and well-respected member of our security community as I described the architecture we used to protect our mail server. I’m not saying it’s perfect, but this person responded with, “that’s insane – I know people selling 0-days to governments that don’t go that far”. On another occasion I was talking with someone with vastly more network security knowledge and experience than me; someone who once protected a site attacked daily by very knowledgeable predators, and he was… confused as to why I architected the systems like I did. Yesterday, it saved my ass. Now I’m not 100% happy with our current security model on mail. There are aspects that are potentially flawed, but I’ve done my best to reduce the risk while still maintaining the usability we want. I actually have plans to close the last couple holes I’m not totally comfortable with, but our risk is still relatively low even with them. Here’s what happened. Back when we first set up our mail infrastructure we hit a problem with our VPN connections. Our mail is on a fully segregated network, and we had some problems with our ISP and IPSec-based VPNs even though I tried multiple back-end options. Timing-wise we hit a point where I had to move forward, so I set up PPTP and mandated strong passwords (as in I reviewed or set all of them myself). Only a handful of people have VPN access anyway, and, at the time, a properly-constructed PPTP password was still very secure. That delusion started dying this summer, and was fully buried yesterday thanks to a new, cloud-based, MS-CHAP cracking tool released by Moxie Marlinspike and David Hulton. The second I saw that article I shut down the VPN. But here’s how my paranoia saved my ass. As a fan of hyper-segregation, early on I decided to never trust the VPN. I put additional security hardware behind the VPN, with extremely restrictive policies. Connecting via the VPN gave you very little access to anything, with the mail server still completely walled off (a UTM dedicated only to the mail server). Heck, the only two things you could try to hack behind the VPN were the VPN server itself and the UTM… nothing else is directly connected to that network, and all that traffic is monitored and filtered. When I initially set things up people questioned my choice to put one security appliance behind another like that. But I didn’t want to have to rely on host security for the key assets if someone compromised anyone connected to our VPN. In this case, it worked out for me. Now I set all this up pre-cloud, but you can set up a similar architecture in many VPC or private cloud environments (you need two virtual NICs and a virtual UTM, although even simple firewall rules can go a long way to help). This is also motivation to finish the next part of my project, which involves yet another UTM and server. Share:

Hang with me as I channel my inner Kerouac (minus the drugs, plus the page breaks) and go all stream of consciousness. To call this post an “incomplete thought” would be more than a little generous. I believe we are now deep in the early edge of a major inflection point in security. Not one based merely on evolving threats or new compliance regimes, but a fundamental transformation of the practice of security that will make it nearly unrecognizable when we finally emerge on the other side. For the past 5 years Hoff and I have discussed disruptive innovation in our annual RSA presentation. What we are seeing now is a disruptive conflagration, where multiple disruptive innovations are colliding and overlapping. It affects more than security, but that’s the only area about which I’m remotely qualified to pontificate. Perhaps that’s a bit of an exaggeration. All the core elements of what we will become are here today, and there are certain fundamentals that never change, but someone walking into the SOC or CISO role of tomorrow will find more different than the same unless they deliberately blind themselves. Unlike most of what I read out there, I don’t see these changes as merely things we in security are forced to react to. Our internal changes in practice and technology are every bit as significant contributing factors. One of the highlights of my career was once hanging out and having beers with Bruce Sterling. He said that his role as a futurist was to imagine the world 7 years out – effectively beyond the event horizon of predictability. What I am about to describe will occur over the next 5-10 years, with the most significant changes likely occurring in those last 7-10 years, but based on the roots we establish today. So this should be taken as much as science fiction as prediction. The last half of 2012 is the first 6 months of this transition. The end result, in 2022, will be far more change over 10 years than the evolution of the practice of security from 2002 through today. The first major set of disruptions includes the binary supernova of tech – cloud computing and mobility. This combination, in my mind, is more fundamentally disruptive than the initial emergence of the Internet. Think about it – for the most part the Internet was (at a technical level) merely an extension of our existing infrastructure. To this day we have tons of web applications that, through a variety of tiers, connect back to 30+-year-old mainframe applications. Consumption is still mostly tied to people sitting at computers at desks – especially conceptually. Cloud blows up the idea of merely extending existing architectures with a web portal, while mobility advances fundamentally redefine consumption of technology. Can you merely slop your plate of COBOL onto a plate of cloud? Certainly, right as you watch your competitors and customers speed past at relativistic speeds. Our tradition in security is to focus on the risks of these advances, but the more prescient among us are looking at the massive opportunities. Not that we can ignore the risks, but we won’t merely be defending these advances – our security will be defined and delivered by them. When I talk about security automation and abstraction I am not merely paying lip service to buzzwords – I honestly expect them to support new capabilities we can barely imagine today. When we leverage these tools – and we will – we move past our current static security model that relies (mostly) on following wires and plugs, and into a realm of programmatic security. Or, if you prefer, Software Defined Security. Programmers, not network engineers, become the dominant voices in our profession. Concurrently, four native security trends are poised to upend existing practice models. Today we focus tremendous effort on an infinitely escalating series of vulnerabilities and exploits. We have started to mitigate this somewhat with anti-exploitation, especially at the operating system level (thanks to Microsoft). The future of anti-exploitation is hyper segregation. iOS is an excellent example of the security benefits of heavily sandboxing the operating ecosystem. Emerging tools like Bromium and Invincea are applying even more advanced virtualization techniques to the same problem. Bromium goes so far as to effectively virtualize and isolate at a per task level. Calling this mere ‘segregation’ is trite at best. Cloud enables similar techniques at the network and application levels. When the network and infrastructure are defined in software, there is essentially zero capital cost for network and application component segregation. Even this blog, today, runs on a specially configured hyper-segregated server that’s managed at a per-process level. Hyper segregated environments – down, in some cases, to the individual process level – are rapidly becoming a practical reality, even in complex business environments with low tolerance for restriction. Although incident response has always technically been core to any security model, for the most part it was shoved to the back room – stuck at the kids’ table next to DRM, application security, and network segregation. No one wanted to make the case that no matter what we spent, our defenses could never eliminate risk. Like politicians, we were too frightened to tell our executives (our constituency) the truth. Especially those who were burned by ideological execs. Thanks to our friends in China and Eastern Europe (mostly), incident response is on the earliest edge of getting its due. Not the simple expedient of having an incident response plan, or even tools, but conceptually re-prioritizing and re-architecting our entire security programs – to focus as much or more on detection and response as on pure defense. We will finally use all those big screens hanging in the SOC to do more than impress prospects and visitors. My bold prediction? A focus on incident response, on more rapidly detecting and responding to attacker-driven incidents, will exceed our current checklist and vulnerability focused security model, affecting everything from technology decisions to budgeting and staffing. This doesn’t

Our very own Gunnar Peterson is co-presenting what looks like an insanely awesome mobile application security class. And with a name like The Mobile App Sec Triathlon you know I am interested. The class is November 5-7 in San Jose, and you can get more information and sign up This class covers what developers, architects, and security people should know when working on Mobile, iOS, and Android. The first day is more high level, with the second two days all developer hands-on. Gunnar also wrote a post on why he trains, with a lot more information. This is really a great opportunity, and I don’t believe there is anyone else as qualified offering this sort of class. Share:

In today’s news we see yet another zero-day Internet Explorer exploit being used in the wild. And once again, soon after becoming public, an exploit was added to Metasploit. Well, sort of. While the in-the-wild attack only works against Windows XP, the Metasploit version works against Windows 7 and Vista. (Note that IE 10 isn’t affected). You can read the article linked above for the details, but this gets to something I have been recommending privately for a while: support 2 browsers, even if one is only for emergencies. First of all, ideally you’ll be on a modern operating system. I’m not one to blame the victim, but allowing XP is a real problem – which I know many of you fight every day. Second, this advice doesn’t help with all browser-based attacks, especially Java. But you can configure it in a way that helps. Choose a secondary browser that is allowed for web browsing. Chrome is most secure right now, but make sure you set its privacy defaults to not bleed info out to Google. Ideally block Java in the browser. Maybe even Flash, depending on how you feel about the Chrome sandbox. If something like this IE flaw hits, notify users to use the secondary browser for outside websites (odds are you need IE for internal web apps programmed by idiots or 19th-century transplants, and so cannot ban it completely). If you can, set a network policy that (temporarily) blocks IE from accessing external sites (again, you can make exemptions for partners). Unfortunately I don’t believe many tools support this. I know this advice isn’t perfect. And there are tools like Invincea and (soon) Bromium that can likely stop this stuff cold in the browser – as well as a few network tools, although history shows signature-based defenses aren’t all that effective here. But if you can pull it off you aren’t stuck waiting for a patch or another workaround. Especially if you go with the “block Java / isolate or block Flash” option. This approach allows you to still only support one browser for your applications, and use a secondary one when needed without users having to violate policy to install it themselves. Share:

Rich here. Way **way** back in my earliest Gartner days one of my first speaking engagements was a series of three-city tours where I was paired up with an extremely experienced telecom analyst. I was still in my twenties, and probably wasn’t qualified to wash my privates — never mind advise anyone on their security strategy. This was an awesome training ground for a number of reasons. First of all, the stakes were low — these were smaller audiences, out for a free event. Second was all the practice I got, giving the same talk three days in a row to different groups. And it was great to work with an exceptionally good speaker with oodles of experience. But that’s not what I’m going to talk about. The best part for me, as someone with an unhealthy attraction to wireless devices, was spending time with someone who’d been on the inside of the telecom industry for over 20 years. The tech part I could understand easily enough, but the business side was far more fascinating than I expected. And this was after I had worked in Europe for a few months helping design the first system to sell and activate mobile phones over the Internet. Nick hammered one rule into my head that hasn’t changed in the dozen-odd years since. “Telecom providers are greedy and stupid”. Every single decision they make is dependent on those baseline traits. This is especially relevant as I try and figure out just what combination of iPhone 5 and data plan will best fit my needs. First there are the relevant technology limitations. Such as the fact that LTE is a data-only standard, and carriers around the world haven’t really figured out the voice details. So the phones have to support their *old* voice and data standards (GSM or CDMA) *plus* LTE, and your phone might behave differently depending on your coverage. The best example is that Verizon only supports voice and data at the same time if you are on LTE, but not on 3G. Then there are all the roaming agreements and spectrum issues for us world traveler types. Like when I was in Russia and it was $5 per minute for voice calls *on the discounted plan*. For comparison a satellite phone is around $1 per minute, but you need a clear view of the sky. Then there are the plan and transition issues. All the carriers hooked us with unlimited data, then said “f*** off — you are over-using what you paid for”. So we have things like shared data plans, which look better but probably cost more for most people. And then there is the very special case of AT&T, who will change their iPhone 5 signal indicator to a big fat middle finger. (Or the other 2-finger gesture, if you are roaming from the UK). Want FaceTime over cellular? Just switch to our more expensive plan and consider yourself lucky we **let** you install Angry Birds! You want 4G? Fine, we’ll change the display to say 4G to shut you up. Not that Verizon is innocent. They might make a big deal over not restricting FaceTime, but they have to allow it (and Personal Hotspot) thanks to agreements they made with the US government for LTE spectrum. It’s only a feature because they were forced. And those of you in Europe and Asia? Man, when I worked in Europe back around 2000 it was paradise compared to the US. Now I hear it’s more like paying for a high-priced dominatrix who beats the crap out of anyone else who looks at you funny. And that still beats Australian providers, who are friggin’ Mother Theresas compared to *Canadian* providers. So I hear. Then again, us Apple folks live in paradise compared to all the hacked-together Android phones you can’t update, which carriers load down with their “value add” user interfaces and crapware. I don’t mind the carriers making money, and I don’t mind paying for my data, but they clearly haven’t figured out that brand loyalty and happy customers might, just possibly, come from a positive user experience beyond “Oh good, I didn’t lose this call.” Instead of adopting the traits that made Apple so popular, they are trying their damndest to maxmize revenue and reduce churn through penalty-based lockin. But it could be worse. They *could* start smashing your head against a wall of glass shards while calmly stating “your call is very important to us,” like cable companies. On to the Summary: ##Webcasts, Podcasts, Outside Writing, and Conferences * [Mike quoted in this Silicon Angle series on CyberWars](http://siliconangle.com/blog/2012/08/07/cyberwars-caught-in-the-crossfire-cyberwars/). Probably too much hype here and overuse of buzzwords, but decent perspectives on the attackers. [Part 1](http://siliconangle.com/blog/2012/08/07/cyberwars-caught-in-the-crossfire-cyberwars/), [Part 2](http://servicesangle.com/blog/2012/08/08/cyberwars-2-welcome-to-the-wild-wild-west-cyberwars/), [Part 3](http://servicesangle.com/blog/2012/08/09/cyberwars-3-a-new-business-reality-cyberwars/) * Rich quoted [about a not-so-great mobile study](http://securitywatch.pcmag.com/none/302447-problems-with-pew-s-mobile-privacy-study). ##Favorite Securosis Posts * Adrian Lane: [The Five Laws of Data Masking](https://securosis.com/blog/the-five-laws-of-data-masking). I pulled another classic Securosis post for this week’s fave. * Mike Rothman: [Incite 1/25/2012: Prized Possessions](https://securosis.com/blog/incite-1-25-2011-prized-possessions). Evidently we don’t blog any more (doh!), so we have taken to digging through the archives and highlighting pieces from the past. Here is an Incite I wrote back in January, and it reminds me of what’s important. To me, anyway. * Rich: Mike starts his new DDoS series — [Defending Against Denial of Service (DoS) Attacks](https://securosis.com/blog/defending-against-denial-of-service-dos-attacks-new-blog-series) ##Favorite Outside Posts * Mike Rothman: [It’s More Important to be Kind than Clever](http://blogs.hbr.org/taylor/2012/08/its_more_important_to_be_kind.html). Most businesses are always striving for improvement. But at what cost? This HBR post puts things in the proper context. _”Just make sure all their efficiency doesn’t come at the expense of their humanity.”_ * Adrian Lane: [Tracking Down the UDID Breach Source](http://intrepidusgroup.com/insight/2012/09/tracking-udid-src/). The thoughtful quest to figure out the UDID breach source. Well done! * Rich: Verizon’s [third post in a series on opportunistic attacks](http://securityblog.verizonbusiness.com/2012/09/11/ask-the-data-on-opportunistic-attacks-part-3/). I may pick on the wireless side, but the Verizon Business security guys are our best industry source for data driven reports right now. ##Research Reports and Presentations * [Understanding and Selecting Data Masking Solutions](https://securosis.com/research/publication/understanding-and-selecting-data-masking-solutions).

Rich here. Yesterday I published an article over at Macworld on the New Java exploits, and why Mac users likely aren’t at risk. As with many previous articles on Mac security, I’m getting really positive feedback. Heck, I have even had people tell me that I’m currently writing the best stuff out there on Apple security overall. (Probably not true, but I’ll take it.) When I asked some people privately about this, they told me they like my articles because they are accurate, hype free, and practical. The thing is, there really isn’t anything special about how I write this stuff up. Some days I feel like it’s some of the easiest prose I put on the screen. I think there is one compelling reason there are so many bad security articles out there in general (when we write about attacks), and even more crap about Apple products. Page views. Anytime anything remotely related to security and Apple comes up, there is a bum rush to snag as many mouse clicks as possible, which forces those writers to break pretty much every rule I have when writing on the issue. Here’s how I approach these pieces: Know the platform. Don’t hype. Research, and don’t single source. Accurately assess the risk. Accurately report the facts. This isn’t hard. It really comes down to understanding the facts and writing without unnecessary hype. From what I can tell, this also results in solid page views. I don’t see my Macworld or TidBITS stats, but from what they tell me the articles do pretty well, even if they come a day after everyone else. Why? Because many of the other articles suck, but also because users will seek out information that helps them understand an issue, rather than an article that just scares them. These are the articles that last, as opposed to the crap that’s merely thinly-disguised plagiarizing from a blog post. I get it. If it bleeds, it leads. But I would rather have a reputation for accuracy than for page views. There are also a bunch of articles (especially from AV vendors) that are technically accurate but grossly exaggerate the risk. Take all the calls for the impending Mac Malware Epidemic… by my count there have only been two large infections in the past two years, neither of which resulted in financial losses to consumers. I really don’t care how much Elbonian porn is back-doored with trojans. (I have been waiting 5 years to write that sentence). Anyway, for those of you who read these articles rather than writing them, here are a few warning signs that should raise your skepticism: Are all the quotes from representatives of security companies with something to gain from scaring you? Does the headline end in a question mark? Is it cross-platform, but ‘Mac’ or ‘iPhone’ got shoehorned into the headline to snag page views? Is more than one source cited? Multiple blog posts which all refer back to the same original source don’t count. Does the article provide a risk assessment in the lead or only in the conclusion? Does it use phrases like “naive Apple users”? Then again, I don’t get paid by hit counts. Or maybe I just underestimate how many people download Elbonian porn. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in this Silicon Angle series on CyberWars. Probably too much hype and overuse of buzzwords, but decent perspectives on the attackers. Part 1, Part 2, Part 3 Mike’s Dark Reading column on making tough choices. Rich covered the Java exploit for Macworld. Favorite Securosis Posts Adrian Lane: Ur C0de Sux. Seeing as we have not been able to blog much lately, I pulled out an old favorite. Mike Rothman: Always on the Run. When I read my intro to this week’s Incite again, I realized it’s pretty good advice. To me. So I’ll bookmark it and get back to it every time I start dragging a bit. Just keep running and good things happen. David Mortman: Pragmatic WAF Management – Securing the WAF. Other Securosis Posts Slow week – and to be honest, next week will also be slow thanks to way too much travel. We promise to get back to annoying you more consistently soon. Maybe. Favorite Outside Posts Mike Rothman: How to set up two step verification on Dropbox. You probably use Dropbox. You probably don’t want anyone else in that file store. You probably should use two-step authentication. If it works as cleanly and easily as Gmail 2FA this is a no-brainer. I’ll be testing it over the weekend. Adrian Lane: Schneier on Security Engineering. “‘Security’ is now a catch-all excuse for all sorts of authoritarianism, as well as for boondoggles and corporate profiteering.” Excellent post. Dave Lewis: Identity is Center Stage in Mobile Security Venn. David Mortman: Don’t build a database of ruin. Rich: The rise of data-driven security. Scott Crawford is A Very Smart Dude and has been tracking this issue longer than any other analyst. The report is for-pay only, but there is a lot of good info in the long (and free) intro post. Research Reports and Presentations Understanding and Selecting Data Masking Solutions. Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks. Implementing and Managing a Data Loss Prevention Solution. Defending Data on iOS. Malware Analysis Quant Report. Report: Understanding and Selecting a Database Security Platform. Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform. Top News and Posts New Java 0day With Maynor statements like “This is as about a bad a bug as I’ve ever seen,” and “This exploit is awesome,” you know it’s good. German police buy stolen data, accuse Swiss of aiding tax evaders. It sounds like German investigators not only sought out stolen financial data, but will continue to do so. New Trojan Discovered. Chrome: Blocked Plug-ins. For those who want a little more granularity than ‘On’ or ‘Off’. ISC(2) Board Petition Snafu. Oh, why am I not surprised? Project Viglio