Login  |  Register  |  Contact
Wednesday, April 15, 2009

“PIN Crackers” and Data Security

By Adrian Lane

Really excellent article by Kim Zetter on the Wired Threat Level site in regards to “PIN cracking”, and some of the techniques being employed to gather large amounts of consumer financial data. I know Rich referenced this post earlier today, but since I already wrote about it and have a few other points I think should be mentioned, hopefully you will not mind the duplicated reference.

Before I delve into some of the technical points, I want to say that I am not certain if the author desired a little sensationalism to raise interest, or if the security practitioners interviewed were not 100% straight with the author, or if there was an attempt to disguise deployment mistakes by hyping the skills of the attacker, but the headline and some of the contents are misleading. The attackers are not ‘cracking’ the ATM PINs, as the encryption is not what is being attacked here. Rather they are ‘scraping’ the memory of the security devices, looking for unencrypted data or the encryption keys. In this case by grabbing the data when it is unencrypted and vulnerable (in a cryptographic sense if not the physical one) within the Hardware Security Device/Module/Unit for electronic funds transfers, hackers are in essence sniffing unencrypted data.

The attack is not that sophisticated, nor is it new, as various eavesdropping methods have been employed for years, but that does not mean that it is easy. Common tactics include altering the device’s operating system or ‘attaching’ to the hardware bus to access keys and passwords stored in memory, thus bypassing intended interfaces and protections. Some devices of this type are even constructed in such a way that physical tampering will destroy the machine and make it apparent someone was attempting to monitor information. Some use obfuscation and memory management technologies to thwart these attacks. Any of these requires a great deal of study and most likely trial and error to perfect. Unless of course you leave the HSM interface wide open, and your devices were infected with malware, and hackers had plenty of time to scan memory locations to find what they wanted.

I am going to maintain my statement that, until proven otherwise, this is exactly what was going on with the Heartland breach. For the attack to have compromised as many accounts as they did without penetrating the Heartland facility would require this kind of compromise. It implies that the attackers have access to the HSM, most likely exploiting negligent security of the command and control interface, and infecting the OS with malicious code. Breaking into the hardware or breaking the crypto would have been a huge undertaking, requiring specialized skills and access.

Part of the reason for the security speed-bump post was to illustrate that any type of security measure should be considered a hindrance; with enough time, skill and access, the security measure can be broken. Enough hindrances in place can provide good security. Way back when in my security career, we used to perform hindrance surveys of our systems to propose how we might break our own systems, under what circumstances this could be done, and what skills and tools would be required. Breaking into an HSM and scraping memory is a separate and distinct skill from cracking encryption (keys), and different from writing SQL and malware injection code. Each attack has a cost in time and skill required. If you had to employ all of them, it would be very difficult for a team of people to accomplish. Some of the breaches, both public as well as undisclosed breaches I am aware of, have involved exploitation of sloppy deployments, as well as the other basic exploitation techniques. While I agree with Rich’s point that our financial systems are under a coordinated multi-faceted attack, the attackers had unwitting help.

Criminals are only slightly less lazy than system administrators. Security people like to talk about thinking like a criminal as a precursor to understanding security, and we pay a lot of lip service to it, but it is really true. We are getting to watch as hackers work through the options, from least difficult to more difficult, over time. Guessing passwords, phishing, and sniffing unencrypted networks are long since pase, but few are actively attacking the crypto systems as they are usually the strongest link in the chain. I know it sounds really obvious to say that attackers are looking at easy targets, but that is too simplistic. Take a few minutes to think about the problem: if your boss paid you to break into a company’s systems, how would you go about it? How would you do it without being detected? When you actually try to do it, the reality of the situation becomes apparent, and you avoid things that are really freakin’ hard and find one or two easy things instead. You avoid things that are easily detectable and being watched. You learn how to leverage what you’re given and figure out what you can get, given your capabilities. When you go through this exercise, you start to see the natural progression of what an attacker would do, and you often see trends which indicate what an attacker will try and why.

Despite the hype, it’s a really good article and worth your time.

–Adrian Lane

Oracle CPU for April 2009

By Adrian Lane

Oracle released the April 2009 Critical Patch Update; a couple serious issues are addressed with the database, and a couple more that concern web application developers.
For the database server, there are two vulnerabilities that can be remotely exploited without user credentials. As is typical, some of information that would help provide enough understanding or insight to devise a workaround is absent, but a couple are serious enough that you really do need to patch, and I will forgo a zombie DBA patching rant here. If you are an Oracle 9.2 user, and there are a lot of you out there still, there is a vulnerability with the resource manager. Basically, any user with create session privileges, and as all users are required to have this in order to connect to the database, it is only going to take one “Scott/Tiger”, default account or brute forced user account to exercise the bug and take control of the resource manager. Very few details are being published, and the CVSS “Base Score” system is misleading at best, but a score of 9 indicates a takeover of the resource manager, which is often used to enforce polices to stop DoS and other security/continuity policies, and possibly leveraged into other serious attacks I am not clever enough to come up with in my sleep deprived state. If this can be implemented by any valid user, it is likely a hacker will locate one and take advantage.
The second serious issue, referenced in CVE-2009-0985, is with the IMP_FULL_DATABASE procedure created by catexp.sql, which runs automatically when you run catalog.sql after the database installation. This means you probably have this functionality and role installed, and have a database import tool that runs under admin privileges- which a hacker can use on any schema. Attack scenarios over and above a straight DoS may not be obvious, but this would be pretty handy for surreptitious alteration and insertion, and the hacker would be able to then exercise this imported database. As I have mentioned in previous Oracle CPU posts, these packages tend to be built with the same set of assumptions and coding behaviors, so I would not be surprised if we discover that EMP_DATABASE_FULL and EXECUTE_CATALOG_ROLE have similar exploits, but this is conjecture on my part. This is serious enough that you need to patch ASAP! And if you have not already done so, you’ll want to review separation of user responsibilities across admin roles as well. I know it is a pain in the @$$ for smaller firms, but it avoids cascaded privileges in the event of a breach/hack.
Finally, CVE-2009-1006 for JRockit and CVE-2009-1012 for the WebLogic Server are in response to complete compromises (Base Score 10) to the system, and should be considered emergency patch items if you are using either product/platform. If we get enough information to provide any type of WAF signature I will, but it will be faster and safer to download and patch.
Red Database Security has been covering many of the details on these attacks, and there are some additional comments on the Tech Target site as well.

–Adrian Lane

The Network Security Podcast, Episode 146

By Rich

Things are so crazy this week, getting ready for RSA, that I nearly forgot we record this little podcast thing every week. Sure, I’ve only been doing it every week for over a year, but you’d think I’d learn to remember.

This week we start by reviewing all the happenings at RSA, before talking about the cable cuts in the Bay Area and the Twitter worm. Martin and I will be doing our best to push out shorter daily shows (usually interviews) every day at RSA, and these tend to be some of our more popular episodes.

The Network Security Podcast, Episode 146.


Project Quant: Goals

By Rich

In our last post we introduced the overall idea behind this project, and the Totally Transparent Research process we will follow. Now it’s time to describe the project in a little more detail and lay out our overall goals. As with everything else in this project, the goals aren’t only open for comment/debate, but feedback (both positive and negative) is encouraged.

Objective: The objective of Project Quant is to develop a cost model for patch management response that accurately reflects the financial and resource costs associated with the process of evaluating and deploying software updates (patch management).

Additional Detail: As part of maintaining their technology infrastructure, all organizations of all sizes deploy software updates and patches. The goal of this project is to provide a framework for evaluating the costs of patch management, while providing information to help optimize the associated processes. The model should apply to organizations of different sizes, circumstances, and industries. Since patch management processes vary throughout the industry, Project Quant will develop a generalized model that reflects best practices and can be adapted to different circumstances. The model will encompass the process from monitoring for updates to confirming complete rollout of the software updates, and should apply to both workstations and servers. The model should be unbiased and vendor-neutral.

Deliverables: The end deliverable will include a written report and a spreadsheet-based model. Additional written material and presentations may be developed to support the project goals.

Research Process: All materials will be made publicly available throughout the project, including internal communications (the Totally Transparent Research process). The model will be developed through a combination of primary research, surveys, focused interviews, and public/community participation. Survey results and interview summaries will be posted on the project site, but certain materials may be anonymized to respect the concerns of interview subjects. All interviewees and survey participants will be asked if they wish their responses to remain anonymous, and details will only be released with consent. Securosis and Microsoft may use their existing customers and contacts for focused interviews and surveys, but will also release public calls for participation to minimize bias due to participant selection.

Deadline: The project deliverables should be released in the June timeframe.

We’re thinking the model will start with monitoring for updates, moving through evaluation, testing, and eventual rollout. It should include all different kinds of updates, reflect operational realities, and even include options for skipping patches or outsourcing. It should account for personnel/resourse costs, downtime, and all the other minutia we know affects patch management. We think we may end up having to define some roles, unless we can find something that’s somewhat standardized already out there.

Our next step is to develop the macro version of the model, which will likely be focused on identifying the patch management process and what’s included at each phase. To support this, we plan on interviewing, and will release a call for participation. We’ll also post our proposed interview questions for feedback before we actually start talking with people. Then we’ll post the results with our first overview, and seek public feedback.

So let us know what you think, and we should be back soon with the survey questions and our first general directions for the model. Keep in mind that since we’re working totally out in the open, most of what you see won’t be even close to polished and should always be considered work in progress.


Announcing Project Quant: New Security Metrics Project (with Microsoft)

By Rich

We spend a lot of time talking about security metrics over here, and I’ve been pretty critical of both overly-broad initiatives that don’t help people get their day to day jobs done, and “fluffy” models that try to put hard numbers on risks/threats and such. Well, it looks like it’s time for me to put up or shut up.

I’m pleased to announce our latest metrics project, which we’re currently calling Project Quant. (Yes we need a better name). We were approached by Jeff Jones at Microsoft to help build an independent model to measure the costs and effectiveness of patch management. This will be a hard metrics model, focused on measuring the operational processes associated with patch management. The goal is to provide IT organizations a tool they can use to measure how effective they are, and track that over time.

I’m excited about this project for two main reasons:

  1. We get to focus on hard, practical metrics people can use to improve operations.
  2. We are following a “radical” version of our Totally Transparent Research process to ensure objectivity.

We’ve set up a dedicated landing area for the project at http://securosis.com/projectquant where we will be posting all the materials. Here are the bits you might care about:

  1. We are soliciting as much participation in the project as possible- including competing vendors, end users of all sizes, consultants, whoever.
  2. The project has a deadline of late June, so this won’t drag out indefinitely. The first version may not be perfect, but come the end of June there will be a first version.
  3. We really need you to get involved. We’ll be asking for survey participants, reviewers, and just plain ‘ol grumpy commenters to keep us honest, and help produce a useful result.
  4. The results will be released under a Creative Commons license in an open format.

We have the first two posts up at the landing site. The first, Introducing Project Quant, provides an overview of the project and the research process. The second, Project Quant: Goals delves into the project goals in more detail.

This is a pretty huge project, even though it’s laser focused on one single operational area. Hopefully you like the idea, and are interested in participating.


Our Financial System is Under a Coordinated, Sophisticated Attack

By Rich

This is a great day for security researchers, and a bad day for anyone with a bank account.

First up is the release of the 2009 Verizon Data Breach Investigations Report. This is now officially my favorite breach metrics source, and it’s chock full of incredibly valuable information. I love the report because it’s not based on bullshit surveys, but on real incident investigations. The results are slowly spreading throughout the blogosphere, and we won’t copy them all here, but a few highlights:

  1. Verizon’s team alone investigated cases that resulted in the loss of 285 million records. That’s just them, never mind all the other incident response teams.
  2. Most organizations do a crap job with security- this is backed up with a series of metrics on which security controls are in place and how incidents are discovered.
  3. Essentially no organizations really complied with all the PCI requirements- but most get certified anyway.

Liquidmatrix has a solid summary of highlights, and I don’t want to repeat their work. As they say,

Read pages 46-49 of the report and do what it says. Seriously. It’s the advice that I would give if you were paying me to be your CISO.

And we’ll add some of our own advice soon.

Next is an article on organized cybercrime by Brian Krebs THAT YOU MUST GO READ NOW. (I realize it might seem like we have a love affair with Brian or something, but he’s not nearly my type). Brian digs beyond the report, and his investigative journalism shows what many of us believe to be true- there is a concerted attack on our financial system that is sophisticated and organized, and based out of Eastern Europe.

I talked with Brain and he told me,

You know all those breaches last year? Most of them are a handful of groups.

Here are a couple great tidbits from the article:

For example, a single organized criminal group based in Eastern Europe is believed to have hacked Web sites and databases belonging to hundreds of banks, payment processors, prepaid card vendors and retailers over the last year. Most of the activity from this group occurred in the first five months of 2008. But some of that activity persisted throughout the year at specific targets, according to experts who helped law enforcement officials respond to the attacks, but asked not to be identified because they are not authorized to speak on the record.

One hacking group, which security experts say is based in Russia, attacked and infiltrated more than 300 companies – mainly financial institutions – in the United States and elsewhere, using a sophisticated Web-based exploitation service that the hackers accessed remotely. In an 18-page alert published to retail and banking partners in November, VISA described this hacker service in intricate detail, listing the names of the Web sites and malicious software used in the attack, as well as the Internet addresses of dozens of sites that were used to offload stolen data.

Steve Santorelli, director of investigations at Team Cymru, a small group of researchers who work to discover who is behind Internet crime, said the hackers behind the Heartland breach and the other break-ins mentioned in this story appear to have been aware of one another and unofficially divided up targets. “There seem, on the face of anecdotal observations, to be at least two main groups behind many of the major database compromises of recent years,” Santorelli said. “Both groups appear to be giving each other a wide berth to not step on each others’ toes.”

Keep in mind that this isn’t the same old news. We’re not talking about the usual increase in attacks, but a sophistication and organizational level that developed materially in 2007-2008.

To top it all off, we have this article over at Wired on PIN cracking. This one also ties in to the Verizon report. Another quote:

“We’re seeing entirely new attacks that a year ago were thought to be only academically possible,” says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. “What we see now is people going right to the source … and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.”

If you read more deeply, you learn that the bad guys haven’t developed some quantum crypto, but are taking advantage of weak points in the system where the data is unencrypted, even if only in memory.

Really fascinating stuff, and I love that we’re getting real information on real breaches.


Tuesday, April 14, 2009

Security Inevitabilities

By Rich

Despite my intensive research into cryonics, I have to accept that someday I will die. Permanently. I don’t know when, where, or how, but someday I will cease to exist. Heck, even if I do manage to freeze myself (did you know one of the biggest cryonincs companies is only 20 minutes from my house?), get resurrected into a cloned 20-year-old version of myself, and eventually upload my consciousness into a supercomputer (so I can play Skynet, since I don’t really like most people) I have to accept that someday Mother Entropy will bitch slap me with the end of the universe.

There are many inevitabilities in life, and it’s often far easier to recognize these end results than the exact path that leads us to them. Denial is often closely tied to the obscurity of these journeys; when you can’t see how to get from point A to point B (or from Alice to Bob, for you security geeks), it’s all too easy to pretend that Bob Can’t Ever Happen. Thus we find ourselves debating the minutiae, since the result is too far off to comprehend.

(Note that I’d like credit for not going deep into an analogy about Bob and Alice inevitably making Charlie after a few too many mojitos).

Security includes no shortage of inevitabilities. Below are just a few that have been circling my brain lately, in no particular order. It’s not a comprehensive list, just a few things that come to mind (and please add your own in the comments). I may not know when they’ll happen, or how, but they will happen:

  • Everyone will use some form of NAC on their networks.
  • Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely won’t be magnetic strips.
  • Everyone will use some form of DLP, we’ll call it CMP, and it will only include tools with real content analysis.
  • Log management and SIEM will converge into single products. Completely.
  • UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.
  • Virtualization and information-centric security will totally fuck up network security, especially internally.
  • Any critical SCADA network will be pulled off the Internet.
  • Database encryption will be performed inside the database with native functionality, with keys managed externally.
  • The WAF vs. secure development debate will end as everyone buys/implements both.
  • We’ll stop pretending web application and database security are different problems.
  • We will encrypt all laptops. It will be built into the hardware.
  • Signature AV will die. Mostly.
  • Chris Hoff will break the cloud.


Monday, April 13, 2009

Introducing Project Quant

By Rich

Much to our own surprise, we’ve been doing a lot of work on security metrics over the past year. From our work with Mozilla, to the Business Justification for Data Security, we’ve found ourselves slicing and dicing the numbers and methodologies to develop tools that provide a little more insight into managing security operations, help communicate with the business side, and justify where and what we spend on security. Security, like any maturing industry, is more than just banging away on the latest technologies. We require methodologies to assist us in optimizing our programs, prioritizing our efforts, and make sound business (of security) decisions. And I don’t mean only justification metrics to communicate risk and value to get budgets, but internal, operational measurements that directly apply to daily security decisions.

That’s why I’m excited to announce we were approached by Jeff Jones at Microsoft to work with him on a new project around the metrics of patch management. We are handling this one very differently than our other projects, and it’s as much an experiment with a new research process as it is one of security metrics.

As you know, we are incredible sticklers about our objectivity and producing research that’s free of bias (well, except for our bias). For our other projects, even when they were sponsored by vendors, the sponsor wasn’t involved in the creation of the research at all. For this project Jeff wanted to be involved, but also asked for an open, unbiased model that will be useful to community at large (in other words, he didn’t ask for a sales tool). Rather than us developing something back at the metrics lab, Jeff asked us to lead an open community project with as much involvement from different corners of the industry as possible.

We feel this fits with our Totally Transparent Research process where all the research is developed out in the open, and everyone gets to contribute, comment on, and review the content during development. We feel this is the best way to reduce bias, and even if there is bias, at least there’s a paper trail. Yes, it’s risky for us to allow direct involvement of the sponsor, but we’re hoping that the process works as we think it will, which also happens to match Microsoft’s project goals.

In this post we’re going to describe the process, and in the next post we’ll detail the project goals. We’d like feedback on both the project process and goals, since that helps keep them straight. We’re totally serious – none of us wants a biased or narrowly useful result; we wouldn’t participate in this project if we didn’t feel we could provide something of value to the community that also fits with our objectives as independent analysts.

  1. We are establishing a project landing site here at Securosis which will contain all material and research as it is developed. Right now we have comments set up for feedback, and we should have that switched over to a forums system very soon. [DONE]
  2. Every piece of research will be posted for public comment. No comments will be filtered unless they are spam, totally off topic, or personal insults. On the off chance you don’t see your comment right after posting, it may have gotten stuck in our blog spam filters, so please email me directly to pull it out.
  3. Everyone is encouraged to comment and contribute – including competing vendors – and anonymous comments are supported. We only ask that if you are a vendor with skin in the game (a product related to patch management) that you identify yourself (we’ll call you out if we think you aren’t being open).
  4. All significant contributors will be acknowledged in the final report. The bad side is that we won’t be able to financially compensate you, and the project itself will retain ownership rights. Someday we’ll figure out a better way to handle that, and suggestions are appreciated.
  5. All material will be released under a Creative Commons license (TBD).
  6. Spreadsheets will be released in both Excel and open formats. Other written documents will be released as PDF (no, it’s not technically open, but if you have real problem with PDF email me).
  7. On the back end, we are tagging, archiving, and making public all our project-related emails. We won’t be recording phone calls, but will be releasing meeting notes.
  8. All materials will be consolidated on the project site, with major deliverables also posted to the Securosis blog.

In short, we are developing all research out in the open, soliciting community involvement at every stage, making all the materials public, acknowledging contributors, and eventually releasing the final results for free and public use. The end goal of the project is to deliver a metrics model for patch management response to help organizations assess their costs, optimize their process, and achieve their business goals.

Let us know what you think, even if you think we’re just full of it…

(Oh, and we’re not totally thrilled with the project name, so please send us better ideas)


The Securosis Recovery Breakfast at RSA: RSVP to Win a Chumby

By Rich

We’ve been hinting at it over Twitter and in other blog posts, but it’s official. We’re sponsoring our First Annual Recovery Breakfast Wednesday morning at the RSA conference (8-11 am at Jillian’s). We’ll have hot and cold food, a selection of over-the-counter recovery items, and the hair of the dog of your choice. No marketing, speeches, or anything else (especially since we’ll be in rough shape ourselves).

Since we have no idea how many people might show up, we’re asking you to RSVP if you think there’s a reasonable chance you’ll make it. To add a bit of incentive, we will be randomly selecting one RSVP to win a Chumby. You still have to show up to win, but we’ll pre-select your name so you don’t have to be there at any particular time. Just email us at rsvp@securosis.com. (We’ll need the winner’s real address to ship it to you, since it takes too much space in our bags, but we’ll just collect that at the event.

We hope you’ll be able to join us, and we’ll see you at the show…



Friday, April 10, 2009

Friday Summary: April 10, 2009

By Rich

It was nearly three years ago that I started the Securosis blog. At the time I was working at Gartner, and curious about participating in this whole "social media" thing. Not to sound corny, but I had absolutely no idea what I was getting myself into. Sure, I knew it was called social media, but I didn’t realize there was an actual social component. That by blogging, linking to others, and participating in comments, we are engaging in a massive community dialogue. Yes, since becoming an analyst I’ve had access to all the little nooks of the industry, but there’s just something about a public conversation you can’t get in a closed ecosystem. Don’t get me wrong- I’m not criticizing the big research model- I could never do what I am now without having spent time there, and I think it offers customers tremendous value. But for me personally, as I started blogging, I realized there were new places to explore. At Gartner I learned an incredible amount, had an amazingly good time, and made some great friends. But part of me (probably my massive ego) wanted to engage the community beyond those who paid to talk to me.

Thus, after seven years it was time to move on and Securosis the blog became Securosis, L.L.C.. I didn’t really know what I wanted to do, but figured I’d pick up enough consulting to get by. I didn’t even bother to change my little WordPress blog, other than adding a short company page.

It’s now nearly two years since jumping ship without a paddle, boat, lifejacket, any recognizable swimming skills, or a bathing suit. We’ve grown more than I imagined, had a hell of a lot of fun, posted hundreds of blog entries, authored some major research reports, and practically redefined the term "media whore". But we still had that nearly unreadable white-text-on-black-background blog, and if you wanted to find specific content you had to wade through pages of search results. Needless to say, that’s no way to run a business, which is why we finally bit the bullet, invested some cash, and rebuilt the site from scratch. For months now we’ve been blogging less as we spent all our spare cycles on the new site (and, for me, having a kid). I realize we’ve been going on and on about it, but that’s merely the byproduct of practically crapping our pants because we’re so excited to have it up. We can finally organize our research, help people learn more about security, and not be totally embarrassed by running a corporate site that looked like some idiot pasted it together while bored one weekend. Which it was.

I asked Adrian for some closing thoughts, and I absolutely promise this will be the last of our self-congratulatory, self-promotional BS. The next time you hear from us, we’ll actual put some real content back out there.


Some of you may not know this, but I had been working with Rich for a couple of months before most people noticed. Learning that was unsettling! I was not sure if our writing was close enough that people could not tell, or worse, no one cared. But we soon discovered that the author names for the posts was not always coming up so people assumed it was Rich and not Chris or myself. It was several months later still when I learned that the link to my bio page was broken and was not viewable on most browsers. We were getting periodic questions about what we do here, other than blog on security and write a couple white papers, as lots of regular readers did not know. It never really dawned on Rich or I, two tech geeks at heart, to go look at how we presented ourselves (or in this case, did not present ourselves). When a couple business partners brought it up, it was a Homer Simpson "D’oh" moment of self-realization. Rich and I began discussing the new site October of last year, and as there was a lot of stuff we wanted to provide but could not because WordPress was simply not up to the challenge, we knew we needed a complete overhaul. And we still were getting complaints that most people had trouble reading the white text on black background. Yes, part of me will miss the black background ..It kind of conveyed the entire black hat mind set; breaking stuff in order to teach security. It embodied the feeling that "yeah, it may be ugly, but it’s the truth, so get used to it". Still, I do think the new site is easier to read, and it allows us to better provide information and services. Rich and I are really excited about it! We have tons of content we need to tune & groom before we can put it public into the research library, but it’s coming. And hopefully our writing style will convey to you that this blog is an open forum for wide open discussion of whatever security topic you are interested in. Something on your mind? Bring it!


And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences:
    Favorite Securosis Posts:
    Favorite Outside Posts:
      Top News and Posts:

      Blog Comment of the Week:

      This week’s best comment was from Allen Baranov on RSA Conference: For Real?:

      Yeah … and it was only after I submitted both my credit card details and PIN number that I realised that I’m not even going to the RSA conference.


      Thursday, April 09, 2009

      Sudo Reboot Securosis

      By Rich

      If you can read this, you’ve found the brand spanking new Securosis! We’d call it Securosis 2.0, but we hate all that “2.0” stupidity. (We also hate “next generation”, for the record).

      If I was in the terrain park I’d say I’m totally stoked, but since I’m only sitting at home in the office I’ll have to settle for really fracking excited!

      We’ve been working on this for months, and we sure as heck hope you like it. There are a ton of new features, and we moved over to a new platform to support all sorts of goodness down the road. We know not everything is quite perfect yet, but we think we’re off to a great start and it’s far more functional than the old site.

      Aside from the platform switch, the biggest addition is the Securosis Research Library. We know a lot of people come here to learn about the topics we cover, and rather than forcing you to crawl through a search engine we wanted one nice area that guides you exactly to what you’re looking for. We have one page per topic, with all the best things we’ve written or recorded on that subject, in a recommended reading order. You can even subscribe to it as an RSS feed and it will stay current in your reader. Right now we have only a handful+ of pages in there, but our goal is to flush it out with all the topics we cover, at the rate of 1-2 per week. We’re also adding content, such as presentations, on a daily basis as we get everything converted.

      We now have a much better search engine and a cool tag cloud, and we’ve completely reorganized how we publish our whitepapers and other major content (you can find it in the Research Library).

      For those of you who have registered here before, we pulled your user accounts over but killed your passwords. Just click on this link to reset your password and you’ll be right back in.

      Finally, we know some of you were getting updates via email. We couldn’t migrate that over, but we set up a sweet new Daily Digest using MailChimp.

      I’m totally friggen’ exhausted, so with that I’m going to grab a beer, go to sleep, and see what’s broken in the morning. I’d like to thank Insight Design for our awesome look, and Adam Khan of Engaging.net for all the help getting things running.

      Need. Beer. Now.


      Wednesday, April 08, 2009

      We’re Moving! Site and Subscriptions Update

      By Rich

      We are putting the final touches on the new site and should be launching it within the next 24 hours. Being the eternal optimists, we’re pretty sure something will go wrong, but maybe we’ll luck out and those beers we bought the migration gods will pay off.

      We’re pretty excited- aside from moving us off the Mogull Special design template, we’re switching to a more secure system, adding a bunch of features, and finally organizing all our content. Thursday’s move is only the first step- we’re already working on some additional content and features we hope you’ll like.

      If you subscribe to Feedburner RSS you won’t notice any changes. After this move we won’t be pointing people to Feedburner anymore, but we’ll keep it active. We don’t think we have any direct subscribers, but if you happen to use a non-Feedburner feed, you’ll need to visit the new site and re-subscribe. Otherwise, the transition should go smoothly, but we hope you RSS only readers will still come and check out the new site (and features).

      **If you subscribe to the email updates**

      We’re changing to an entirely new email system and your subscription may not carry over. Yeah, it stinks, but we didn’t have many options. If you get emails of our feed from Feedburner you won’t notice any changes. If you subscribed directly on the site, you’ll need to visit the new site and sign up again- we have a big link right there on the blog page (on the right side), and all you need to enter is an email address.

      Wish us luck- we’ll need it!

      And don’t forget to visit the new site… same address, more pizzaz.

      (not more pizzas, which would probably get us more readers)


      Monday, April 06, 2009

      RSA Conference: For Real?

      By Adrian Lane

      Did anyone else get this email?

      You are receiving this email because you are registered for RSA® Conference 2009. Your account information needs to be activated so that you can take full advantage of all the Conference activities including access to the Conference Personal Scheduler and access to the Conference wireless network while on-site. … Please take a moment now to log-in and complete your account activation athttps://sso.rsaconference.com/sso/LogIn.jsp   using the following temporary password - %_DWqwet(M. You will then be prompted to confirm your profile information and reset your password. Your username is not included in this email for security purposes. If you are unsure of what your username is, you can retrieve it online at https://sso.rsaconference.com/sso/RetrieveUserName.jsp. You can log in to your account anytime at https://sso.rsaconference.com/sso/LogIn.jsp. … For more information on RSA Conference Single Sign-on, please visit our website or contact us atloginhelp@rsaconference.com.  Sincerely, RSA® Conference Team

      Wow, is this a phishing attempt out to the RSA list? Awesome!

      –Adrian Lane

      Friday, April 03, 2009

      Friday Summary, April 3, 2009

      By Adrian Lane

      The big news at Securosis this week centered around the Conficker worm. As Rich blogged earlier in the week, he got a call from Dan Kaminsky on Saturday with the outline of what was going on. Rich and I scrambled Saturday to reach as many AV vendors as we could to get the word out. While some were initially a little annoyed at getting called on their cell phones Saturday afternoon, everyone was really eager to see what Tillmann Werner and Felix Leder had discovered and get their scanning tools updated. I expected things to be quiet on April 1st. A lot of security researchers have been watching and studying the worm’s behavior, and devising plans for detecting and containing the threat. I imagine the authors of the worm are reading every bit of news they can get their hands on and learning how to improve their code in response. This has been fascinating to watch. Thanks again to the Honeynet Project and Dan Kaminsky for doing a great job, and for involving us in the effort.

      On a more personal note, you probably have noticed that neither Rich nor I have been blogging as much lately, partially due to our desire to not create more work for ourselves prior to the new site launch; partially because, well, family comes first. For those of you who know me, you know I have dogs. When people ask me if I have kids, I typically say “No, I have dogs.” What I mean to say is “Yes, several; of the four legged variety.” March has been a terrible month for me because in the first few days one of my puppies went into kidney failure as she had been prescribed the wrong pain medication and dosage. I spent 5 days at the emergency vet clinic with her, even signing the DNR papers as we did not think she would make it. Happy to say she did, and is slowly recovering her ability to walk and some of the 30 lbs. she lost. A couple of days after I got back from Source Boston, her brother, and our all time favorite, started having trouble breathing. To make a long story short, we found cancer everywhere, and he only made it five days after his first visible symptoms, dying in my lap Tuesday morning. We know even several of you hardened veterinarians and long time breeders who have “seen it all” shed a tear over this one, and Emily and I understand and appreciate your heartfelt condolences. Looking forward to a much brighter and happier April.

      And now for the week in review… at least what little of it I managed to notice:

      Webcasts, Podcasts, Outside Writing, and Conferences:

      Favorite Securosis Posts:

      Favorite Outside Posts:

      Top News and Posts:

      • Microsoft Security Advisory 969136 for MS Office PowerPoint.
      • Internet too dangerous? I think most people just do not appreciate how dangerous it is.
      • Conficker ‘eye-chart’. This is a great idea and works for several malware variants.
      • One topic I really wanted to blog on this week was the Internet Crime Complaint Center report that incidents (discovered and reported, of course) were up 33% year over year.
      • Mini-Botnets. Smaller, just as much of a problem.
      • The Open Cloud Manifesto. Ugh. Too many grandstanders with too little to say. If Hoff wants to fight that fight, fine, but it feels like yelling at the wind to me. Just not worth the time jumping into this mess until there is a bit more of a market. Don’t get me wrong- Rich and I will cover cloud and virtualization security in the future, maybe even this year. But not in response to this, and when we do, will will try to have something to say that does not suck.

      Blog Comment of the Week:

      This week’s best comment was from ‘Anonymous’:

      @Andre, I think once the Institute store makes its exclusive gear available, you should be the first to buy an ASS hat.

      We are working on the merchandise page for the new site … we will be sure to stock those hats.

      –Adrian Lane

      Wednesday, April 01, 2009

      Dino Dai Zovi on The Network Security Podcast

      By Rich

      Just a quick note today since I’m totally distracted by having some family in town.

      Episode 144 is up and features Dino Dai Zovi… co-author of The Mac Hackers Handbook. It’s a great interview, especially if you are interested in Mac security issues. We also discuss the No More Free Bugs meme.

      You can download the episode here…