Research

With the CanSecWest conference last week, right on the heels of Black Hat Europe, there have been many happenings in the security world. On top of that, our favorite investigative reporter managed to take down yet another group of bad guys by shining his flashlight in the right direction.   < p>But before we delve into the week’s security news, we spend a little time talking about my shiny new Mac Pro, as Martin gives me a few parenting tips (don’t worry, we try not to bore you too much). I rant a bit on Apple’s stupidity with their cord-length on the new 24” Cinema Display. Seriously, only 3’6”? With no extension available anywhere?!? Sigh. And now, on to the show. Network Security Podcast, Episode 143, March 24, 2009 Show Notes: Brian Krebs reveals the evil that is TrafficConverter. TrafficConverter is shut down. Coincidence? Nope. Is Conficker just a big April’s Fools day joke? Yeah, right. Jeremiah Grossman is seeking quick hits in web application security. Core Security researchers reveal BIOS attack. All browsers go down at CanSecWest. Except Chrome, but no one really targeted it. (Yes, Alan, I just cribbed my own show notes again.) Share:

Ah yes, as spring approaches, so does Sundance for Ugly People (as a friend likes to call the RSA Security Conference). We will, of course, be there. But unlike other years we have a little surprise brewing. Schedule-wise I’m giving one track session, and participating in 3 panels: Tuesday at 1:30 PM: Discover, Protect, and Securely Share Sensitive Corporate Data (panel on DLP/DRM/etc.). Tuesday at 4:10 PM: “Groundhog Day” – History Repeats Itself (with Rothman, McKeay, Mortman and Ron Woerner- my favorite panel). Thursday at 9:20 AM (those bastards, 9am?): Which Security Tools Take Priority in a Challenging Economic Climate? (panel with Shimel, Rothman, and… okay, sorry to leave someone off). Should be a hoot. Friday at 10:10 AM: Disruptive Innovation and the Future of Security (With The Hoff. Flat out, this session is going to rock, and it’s worth changing your flight to stay for). We’re still figuring out our schedule for non-official speaking slots. Priority goes to the paying clients (since we are totally… “professionals”… and need to pay for our post RSA rehab trip). We have a few slots open, but also some things on the table and are hoping to lock it down by next week (breakfast/lunch/mid-day stuff only, evenings are all tied up already). Like many of you, we plan to fully participate in all the evening activities. If you’ve been to RSA before, you also know that comes at a price to be extracted the following morning. To ease your pain, on Wednesday we are sponsoring the Securosis Recovery Breakfast. For a few hours we’ll have an open buffet with all the required recovery tools (aspirin, Tums, activated charcoal administered by an expired paramedic). No presentations, subdued lighting, and loud noises prohibited. We’ll be posting more details on it next week, and highly encourage you to RSVP so we can make sure we have enough food. The location will be extremely convenient, and we should have it locked down in the next couple of days. And that’s it! We look forward to seeing everyone there, and if you want to meet, please hit us up as soon as possible so we can coordinate schedules. Share:

Hi everyone, Just a quick note that tomorrow we’ll be giving a webcast about our research behind The Business Justification for Data Security paper we recently released. For those of you with too much ADD to read all 30+ pages, we’ll be covering all the core material and walking through an example case. The webcast starts at 1pm ET, is with the SANS Institute, and is sponsored by McAfee; you can sign up here. We’ll also have some time for Q&A, so this is your chance to dig in a little deeper with us. On another note, we are very close to putting up the new version of the Securosis site- yes Virginia, pretty soon we’ll have more than a default WordPress template. As a consequence, our blog posts might be a little light this week. Don’t worry, the new site will make up for it. Share:

Hi everyone, With me adapting to the new baby and holding the fort here at Securosis Central, and Adrian out at the Source conference, I wasn’t able to get our usual weekly summary together. But not to worry- we have a ton of news and announcements for next week, and some very big announcements over the next 2 weeks. On that note, I’ll let you all get back to Happy Hour as I finish working on a presentation. Share:

No, we don’t mean vote for your favorite geriatric patriarch or matriarch, but for your favorite security blog. While I’m a little late posting this (I blame being distracted by the impending, then final, arrival of my incredibly cute daughter), there’s still plenty of time to vote. The awards are all part of the Security Blogger’s Meetup, which started as a little gathering put together by Martin and myself 3 years ago, and is now a pretty big & impressive event, with an actual budget. At least I think it’s impressive- it’s hard to remember after all the free booze. The Social Security Awards were an idea Alan Shimel came up with to recognize the best security bloggers out there and continue to build our community. You can vote in the following categories: Best Security Podcast Best Technical Security Blog Best Corporate Security Blog Best Non-Technical Security Blog Most Entertaining Security Blog We’ll tabulate the votes, and then the final winners will be selected by our all-star panel of tech journalists. We’ll be having an awards ceremony at the meetup, and giving out prizes courtesy of Seagate (encrypted hard drives, of course). Those of us on the organizing committee are excluded from the awards, so please don’t vote for me. Really, it wouldn’t be fair to all the other bloggers if I were competing anyway. So go vote. Now. I know how many of you are out there reading, and if you don’t vote I’ll tell your mom. Also, special thanks to Jennifer Leggio for doing nearly all the hard work putting this together. Share:

Adrian and I are proud to release our latest whitepaper: Building a Web Application Security Program. For those of you who followed along with the blog series, this is a compilation of that content, but it’s been updated to reflect all the comments we received, with additional research, and the entire report was professionally edited. We even added a couple pretty pictures! We’re very excited to get this one out, since we haven’t really seen anyone else show you how to approach web application security as a comprehensive program, rather than a collection of technologies and one-off projects. One of our main goals was to approach web application security as a business problem, not just an isolated technology issue. We want to especially thank our sponsors, Core Security Technologies and Imperva. Without them, we couldn’t produce free research like this. As with all our papers, the content was developed independently and completely out in the open using our Totally Transparent Research process. In support of that, we also want to thank the individuals who affected the end report through their comments on the Securosis blog: Marcin Wielgoszewski, Andre Gironda, Scott Klebe, Sharon Besser, Mike Andrews, and ds (we only reveal the names they list as public in their comments). This is version 1.0 of the document, and we will continue to update it (and acknowledge new contributions) over time, so keep coming with the comments if you think we’ve missed anything or gotten something wrong. Share:

I was getting a little excited when I read this article over at NetworkWorld about how the PCI council will be releasing a prioritized roadmap for companies facing compliance. It’s a great idea- instead of flogging companies with a massive list of security controls, it will prioritize those controls and list specific milestones. Now before I get to the fun part, I want to quote myself from one of my posts on PCI: Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process. Now on to the fun (emphasis added by moi): Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says. What a load of shit. With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact. As I keep saying, PCI is really about protecting the card companies first, with as little cost to them as possible, and everyone else comes a distant second. It could be better, and the PCI Council has the power to make it so, but only if the process is fixed with more accountability of assessors, a revised assessment/audit process (not annual), a change to real end-to-end encryption, and a real R&D effort to fix the fundamental flaws in the system, instead of layering on patches that can never completely work. You could also nominate me for the PCI Council Board of Advisors. I’m sure that would be all sorts of fun. Seriously – we can fix this thing, but only by fixing the core of the program, not by layering on more controls and requirements. Share:

Had a very interesting call today with a client in the pharma research space. They would like to protect clinical study data as it moves to researcher’s computers, but are struggling with the best approach. On the call, I quickly realized that DLP, or a content tracking tool like Verdasys (who also does endpoint DLP) would be ideal. The only problem? They need Windows, Mac, and Linux support. I couldn’t remember offhand of any DLP/tracking tool (or even DRM) that will work on all 3 platforms. This is an open call for you vendors to hit me up if you can help. For you end users, where we ended up was with a few potential approaches: Switch to a remote virtual/hosted desktop for handling the sensitive data… such as Citrix or VMWare. Use Database Activity Monitoring to track who pulls the data. Endpoint encryption to protect the data from loss, but it won’t help when it’s moved to inappropriate locations. Network DLP to track it in email, but without the endpoint coverage it leaves a really big hole. Content discovery to keep some minimal tracking where it ends up (for managed systems), but that means opening up SMB/CIFS file sharing on the endpoint for admin access, which is in itself a security risk. Distributed encryption, which *does* have cross platform support, but still doesn’t stop the researcher from putting the data someplace it shouldn’t be, which is their main concern. While this is one of those industries (research) with higher Mac/cross platform use than the average business, this is clearly a growing problem thanks to the consumerization of IT. This situation also highlights how no single-channel solution can really protect data well. It’s the mix of network, endpoint, and discovery that really allows you to reduce risk without killing business process. Share:

A month or so I go I was invited by Jeremiah Grossman to help judge the Top 10 Web Hacking Techniques of 2008 (my fellow judges were Hoff, H D Moore, and Jeff Forristal). The judging ended up being quite a bit harder than I expected- some of the hacks I was thinking of were from 2007, and there were a ton of new ones I managed to miss despite all the conference sessions and blog reading. Of the 70 submissions, I probably only remembered a dozen or so… leading to hours of research, with a few nuggets I would have missed otherwise. I was honored to participate, and you can see the results over here at Jeremiah’s blog. Share:

< div class=”wiki_entry”> Last Friday Adrian sent me an IM that he was just about finished with the Friday summary. The conversation went sort of like this: Me: I thought it was my turn? Adrian: It is. I just have a lot to say. It’s hard to argue with logic like that. This is a very strange week here at Securosis Central. My wife was due to deliver our first kid a few days ago, and we feel like we’re now living (and especially sleeping) on borrowed time. It’s funny how procreation is the most fundamental act of any biological creature, yet when it happens to you it’s, like, the biggest thing ever! Sure, our parents, most of our siblings, and a good chunk of our friends have already been through this particular rite of passage, but I think it’s one of those things you can never understand until you go through it, no matter how much crappy advice other people give you or books you read. Just like pretty much everything else in life. I suppose I could use this as a metaphor to the first time you suffer a security breach or something, but it’s Friday and I’ll spare you my over-pontification. Besides, there’s all sorts of juicy stuff going on out there in the security world, and far be it from me to waste you time with random drivel when I already do that the other 6 days of the week. Especially since you need to go disable Javascript in Adobe Acrobat. Onto the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: Brian Krebs joined us on the Network Security Podcast. Favorite Securosis Posts: Rich: I love posts that stir debate, and A Small, Necessary Change for National Cybersecurity sure did the job. Adrian: Database Configuration Assessment Options. Favorite Outside Posts: Adrian: Rothman nails it this week with I’m a HIPAA, Hear Me Roar. Rich: Amrit on How Cloud, Virtualization, and Mobile Computing Impact Endpoint Management in the Enterprise. I almost think he might be being a little conservative on his time estimates. Top News and Posts: Kaminsky supports DNSSEC. His full slides are here. No, he’s not happy about it. Is there a major breach hiding out there? There is a major Adobe Acrobat exploit. Disable Javascript now. Verizon is implementing spam blocking. Nice, since they are one of the worst offenders and all. Sendio (email security) lands $3M. Glad we didn’t call that market dead. Microsoft sued over XP downgrade costs. Next, they’ll be sued for using the color blue in their logo. (Note to self- call lawyer). Much goodness at Black Hat DC. Too much to cover with individual links. Metasploit turns attack back on attackers. Stupid n00bs. Blog Comment of the Week: Sharon on New Database Configuration Assessment Options IMO mValent should be compared with CMDB solutions. They created a compliance story which in those days (PCI) resonates well. You probably know this as well as I (now I”m just giving myself some credit ) but database vulnerability assessment should go beyond the task of reporting configuration options and which patches are applied. While those tasks are very important I do see the benefits of looking for actual vulnerabilities. I do not see how Oracle will be able to develop (or buy), sell and support a product that can identify security vulnerabilities in its own products. Having said that, I am sure that many additional customers would look and evaluate mValent. The CMDB giants (HP, IBM and CA) should expect more competitive pressure. Share: