Login  |  Register  |  Contact
Tuesday, March 31, 2009

New Application Security Certification Launched

By Rich

We’ve been talking a lot about application security since we started this blog, and one thing we’ve been tracking closely are training and certification programs. 200903312137.jpg While we couldn’t talk about it, we’ve been quietly involved with the Institute for Certified Application Security Specialists. We reviewed the program during development, and were overall pretty impressed. It has very similar requirements to the CSSLP, but is more cost effective for security practitioners… something we can all appreciate in this economy. Believe it or not, despite my not-infrequent diatribes against various certifications, I actually went through the process myself and am fully certified. What I really appreciate is how pragmatic the program is, and how it really reflects the operational realities of application security.

You can get more information at the Institute for Certified Application Security Specialists, and as a member of the affiliate program Securosis readers receive a 10% discount.

Oh- and don’t forget to join the LinkedIn Group!

–Rich

Monday, March 30, 2009

Comments on “Containing Conficker”

By Adrian Lane

As you have probably read, a method for remotely detecting systems infected with the Conficker worm was discovered by Felix Leder and Tillmann Werner. They have been working with Dan Kaminisky, amongst others, to come up with a tool to detect the worm and give IT organizations the ability to protect themselves. This is excellent news. The bad news is how unprepared most applications are to handle threats like this. Earlier this morning, the guys at The Honeynet Project were kind enough to forward Rich and myself a copy of their Know Your Enemy: Containing Conficker paper. This is a very thorough analysis of how the worm operates. I want keep my comments on this short, and simply recommendation strongly that you read the paper. If you are in software development, you need to read this paper.

Their analysis of Conficker illustrates that the people who wrote it are far ahead of your typical application development team in their understanding of application security. Developers need to understand the approach that attackers are taking, understand the dedication to their craft these guys are exhibiting, and increase their own knowledge and dedication if they are going to have a chance of producing code that can counter these types of threats.

Is Conficker a well-written piece of code? Is it architected well? No idea. But it is clear that each iteration has advanced their three core functions (find & infect, maintain, & defend) and had this flexibility in mind from the begining. Look at how Conficker uses identification techniques to protect itself in avoid downloading the wrong/malicious patches to their worm. And check out the examination of incoming requests to help protect their now infected system from other viruses. This should serve as an example of how to write internal monitoring code to detect exploit attempts (see section 4), either in lieu of a full blown patch, or as self-defending code at critical points, or both. And it is done in a manner that gives them a generic tool that, when updated, will be an effective anti-malware tool. Neat, huh? The authors have a pretty good understanding of randomness and used multiple sources, not only to get better randomness, but to avoid an attack on any one- smart. These are really good application security practices that very few software authors actually put into practice. Heck, most web applications trust everything that comes in, and it looks like the authors of Conficker understand that you must trust nothing!

Once again, if you are a software developer or IT practitioner, read the paper. The research that Felix and Tillmann have put into this is impressive. They have proof points for everything they believe to be true about the worm’s behavior, and have stuck with the facts. This is really time consuming, difficult work. Excellent job, guys!

–Adrian Lane

(Updated) Easily Detect Conficker Infections- Over the Network

By Rich

Update: Dan just let me know that Tillmann Werner and Felix Leder have been working on this for 5 months! Dan came in (and then brought me in) only on Friday. They deserve major credit and thanks for this impressive work. Also, Nmap (which is still free) and the free feed of Nessus have their signatures out for those of you that don’t have an enterprise product.

Ever since last year, I always get a little nervous when Dan Kaminsky starts asking me certain questions over Twitter. Last time it was the DNS vulnerability, and this time it was something not as big, yet still extremely cool.

Some researchers with the Honeynet Project (Tillmann Werner and Felix Leder) discovered a way to remotely (as in via network scan) detect Conficker infections. It seems that whoever is behind Conficker attempts to patch the MS08-067 vulnerability when they infect a system so no other attackers can get in. The patch is flawed, causing a specific response to network probes. Yes folks, this means you can tell if a system is infected with Conficker just by scanning it. Now how cool is that?

<

p>The HoneyNet guys contacted Dan for some help, and then he contacted me to get connected with the major scanning vendors. I called Adrian, and we managed to wrangle up nCircle, McAfee, nCircle, Nmap, Qualys, and Tenable (Nessus) and most have already incorporated, or are about to incorporate, Conficker sigs for their scanners. I think Dan is giving me too much credit in his post; all I did was connect the right people with each other; I wasn’t involved in the tool creation or testing. (We did shoot for some other vendors, but didn’t have the right contacts).

I know Dan, the HoneyNet guys, and the vendor research teams all put in a heck of a lot of time on this over the weekend.

Here’s what you enterprise guys need to know:

  1. There is a free proof-of-concept tool available from the HoneyNet Project, or you can contact your network vulnerability assessment vendor to see if they have an updated signature.
  2. This should work on all Conficker variants. (I suspect that won’t last long).
  3. The “Know Your Enemy” paper will be released by the HoneyNet Project in the next couple of days, with far greater detail.
  4. This doesn’t guarantee you will detect all infections, but it’s a powerful way to reduce your risk. We recommend you start scanning immediately if you have the slightest worry over Conficker.
  5. Expect the tools to undergo a series of updates in the next few days as we all learn more. This really is hot-out-of-the-oven stuff that still needs to settle in.
  6. The next phase will be to include this in NAC products for pre-connect scanning.

That’s about it- simple enough! If you start using these and find anything interesting, please come back and post it in the comments.

–Rich

Friday, March 27, 2009

Friday Summary: March 27, 2009

By Rich

It is absolutely amazing how quickly time can rush past during the most momentous moments of your life. It was over three weeks ago that my daughter was born, and I’m still trying to figure out what the f&*% just happened. A lot of people made it sound like my life would suddenly crash to a halt as I vaulted into some other dimension of existence, but the changes, while massive, are also far more subtle and confusing. Needless to say, I blame the reduced sleep (which still isn’t as bad as it was in paramedic school).

While my personal life is changing, so is the world that is Securosis. You may have noticed my nearly complete lack of blogging the past couple of weeks. While I’d like to blame The Nugget, our changes on the corporate side are just as big. We’re close (oh so very close) to unveiling our new website, a major new public project, and a big influx of content. We’re so close that this blog is officially in maintenance mode as we get the last of the old content transferred to the new site, our templates cleaned up, and new content filled in. And the refresh is just the start; as we get the new site stable we are going to keep adding features and content, the vast majority of which will be, as always, free.

On a related note, we’re also working on our RSA schedules, and when the new site launches we will officially announce the Securosis Recovery Breakfast. I’d like to say we’re giving back to the community, but the truth is we’ll need the hangover relief just as badly as any of you.

And now for the week in review… at least what little of it I managed to notice:

Webcasts, Podcasts, Outside Writing, and Conferences:

  • Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site.
  • Rich and Martin hosted another episode of The Network Security Podcast this week, covering some of the CanSecWest news and other happenings.

Favorite Securosis Posts:

Favorite Outside Posts:

  • Adrian: Gunnar Peterson on security people in software development.
  • Rich: John Gruber, at Daring Fireball, on Obsession Times Voice. This is pretty much the most important thing John has written about in a long time. Flat out- if you blog and are obsessed with numbers, you won’t achieve your goals. I barely check our stats, maybe once every other month, and once missed the fact that we had no stats for 3 or 4 months. It’s your passion for writing that brings in readers, not pandering for page views.

Top News and Posts:

Blog Comment of the Week:

Dre on Security Speedbumps:

No No No No No. Layers and defense-in-depth do not work unless you know YOUR OWN risks and point-solution defenses match the risks. “Layering for layering’s sake” does get adversaries poking right through billions of expensive layers. Don’t tempt me to argue against every point in this rant — you just set yourself up for massive failure.

–Rich

Thursday, March 26, 2009

Webcast on Endpoint Encryption Today

By Rich

I’ve been out at the Phoenix SANS event so I almost forgot to post this…

I’ll be presenting on endpoint encryption from 2-3 ET today. The event is sponsored by WinMagic, and you can register here.

I’ll be covering the basics of endpoint encryption- a little bit on why you should do it (I think most of you have heard me say “just encrypt your freaking laptops” by now), an overview of the technology, and enterprise concerns and best practices. I’ll also spend some time talking about how to mix file/folder and full drive encryption.

This one is targeting people without much of a background in endpoint encryption and is mostly introductory material.

–Rich

Tuesday, March 24, 2009

Security Speed-bumps

By Adrian Lane

Reading yet another comment on yet another blog about “what good is ABC technology because I can subvert the process” or “we should not use XYZ technology because it does not stop the threats” … I feel a rant coming on. I get seriously annoyed when I hear these blanket statements about how some technologies are no good because they can be subverted. I appreciate zeal in researchers, but am shocked by people’s myopia in applied settings. Seriously, is there any technology that cannot be compromised?

I got a chance to chat with an old friend on Friday and he reminded me of a basic security tenet … most security precautions are nothing more than ‘speed bumps’. They are not fool-proof, not absolute in the security that they offer, and do not stand unto themselves without support. What they do is slow attackers down, make it more difficult and expensive in time, money, and processing power to achieve their goals. While I may not be able to brute force and already encrypted file, I can subvert most encryption systems, especially if I can gain access to the host. Can I get by your firewall? Yes. Can I get spam through your email filter? Absolutely. Can I find holes in your WAF policy set? Yep. Write malware that goes undetected, escalate user privileges, confuse your NAC, poison your logs, evade IDS, compromise your browser? Yep. But I cannot do all of these things at the same time. Some will slow me down while others detect what I am doing. With enough time and attention there are very few security products or solutions that would not succumb to attack under the right set of circumstances, but not all of them at one time. We buy anti-spam, even if it is not 100% effective, because it makes the problem set much smaller. We try not to click email links and visit suspect web sites because we know our browsing sessions are completely at risk. When we have solid host security to support encryption systems, we drop the odds of system compromise dramatically.

If you have ever heard me speak on security topics, you will have heard a line that I throw into almost every presentation: embrace insecurity! If you go about selecting security technologies thinking that they will protect you from all threats under all circumstances, you have already failed. Know that all your security measures are insecure to some degree. Admit it. Accept it. Understand it. Then account for it. One of the primary points Rich and I were trying to make in our Web Application Security paper was that there are several ways to address most issues. And it’s like fitting pieces of a puzzle together to get reasonable security against your risks in a cost effective manner. What technologies and process changes you select depend upon the threats you need to address, so adapt your plans such that you cover for these weaknesses.

–Adrian Lane

Network Security Podcast, Episode 143

By Rich

With the CanSecWest conference last week, right on the heels of Black Hat Europe, there have been many happenings in the security world. On top of that, our favorite investigative reporter managed to take down yet another group of bad guys by shining his flashlight in the right direction.

<

p>But before we delve into the week’s security news, we spend a little time talking about my shiny new Mac Pro, as Martin gives me a few parenting tips (don’t worry, we try not to bore you too much). I rant a bit on Apple’s stupidity with their cord-length on the new 24” Cinema Display. Seriously, only 3’6”? With no extension available anywhere?!?

Sigh. And now, on to the show.

Network Security Podcast, Episode 143, March 24, 2009

Show Notes:

(Yes, Alan, I just cribbed my own show notes again.)

–Rich

Monday, March 23, 2009

CanSecWest Highlights

By Adrian Lane

I have been reading about the highlights of the CanSecWest show all over the net, and it seems like there were a lot of really cool presentations. TippingPoint’s ‘Pwn2Own’ contest at CanSecWest that started late last week concluded over the weekend. The contest awarded $5,000 to each hacker would could uncover an exploit for any of the major browser platforms (Firefox, Internet Explorer, Chrome, & Safari). Firefox, IE, & Safari were all exploited at least once during the contest, with Chrome the only browser to make it through the trials. Perhaps that is to be expected given its newness. Lots more wrap-up details on the DV Labs site.

I know a lot of security researchers have a bitter taste from the way companies behave when a security flaw is revealed; still, I am always interested in seeing these types of contests as they are great demonstrations of creativity, and the ability to share knowledge amongst experts is great for all of the participants. If this method of “No Free Bugs” works to get discoveries back in the public eye, I think that’s great.

I would have much like to have seen the presentation “Sniff keystrokes with lasers/voltmeters: Side Channel Attacks Using Optical Sampling of Mechanical Energy Emissions and Power Line”. Having previously witnessed what information can be gleaned from power lines, and things like over-the-air Tempest attacks, I would like to see how the state of the art on physical side channels has progressed.

One of the other show highlights was covered by Dennis Fisher over on Threatpost- it appears that the Core Security Technologies team has demonstrated a persistent BIOS attack. There are next to now details on this one, but if they are able to perform this trick without the assistance of a secondary device and only obtaining admin access, this is a really dangerous attack. If you have access to the physical platform, all bets are pretty much off. Looking forward to seeing the details.

–Adrian Lane

Friday, March 20, 2009

Friday Summary, March 20th, 2009

By Adrian Lane

Happy Friday! Rich is off with the family today and probably sneaking in some time to play with his new Mac Pro as well. If I know him, at the first opportunity he will be in the garage, soldering iron in hand, making his own 9’ mini-DVI cable to hook up his new monitor. Family, new baby, and cool new hardware mean I have Friday blog duties. But as I just got back from the Source Boston show, there is much to talk about this week. Across the board, the presentations at Source were really excellent, and some of the finest minds in security were in attendance, so Stacy Thayer and her team get very high marks from me for putting on a great event.

Starting out with a bang, Peter Kuper gave a knockout keynote presentation on the state of financial markets and venture funding for startups. A no-nonsense, no-spin, honest look at where we are today was both a little scary and refreshing for its honesty. He has a post here if you want to read more of his work. David Mortman kicked off the morning sessions with I Can Haz Privacy, updating us on a lot of the privacy issues and legislation going on today. He highlighted the natural link between personal privacy and LOLCATS like no one else, and kept audience participation high by rewarding questions with some awesome homemade wheat bread. The always thought-provoking Adam Shostack gave a presentation on The Crisis in Information Security. I am in complete agreement that despite the hype, breached businesses will continue to function and operate as they always have, and the sky is not falling. And as always, his points are backed by solid research. Even if individual companies generally do not fall, I do still wonder about broader risk to the entire credit card system given its ease of (mis)use, its poor authentication, the millions of stolen credit card numbers floating around, and demonstrated capabilities to automate fraud.

Hoff had his best presentation yet with The Frogs Who Desired a King. While you may or may not be interested in security or cloud computing, this is a must-see presentation. Even if you have been reading his Rational Survivability blog posts on the subject, the clarity of the vision he presented regarding the various embodiments of cloud computing and the security challenges of each is more than compelling, and he has backed it up with a staggering amount of research. I’ve got to say, Chris has raised the bar for all of us in the security field for the quality of our presentations.

After almost missing the show because of a number of issues on the home front, including spending 4 days at the emergency vet clinic as someone accidentally poisoned one of my dogs, I got on the plane and I am glad I made it. I gave a presentation on Data Breaches and Encryption, examining where encryption technologies help and, just as importantly, where they don’t.

My personal “Shock and Awe” award went to Mr. James Atkinson of Granite Island Group TSCM for his presentation on “Horseless Carriage Exploits and Eavesdropping Defenses”. I had no idea that all of these devices were in full effect in most automobiles today, nor that it was this easy to do. Having now given it some thought, though, I think I may have run into some of the devices he discussed. I will be looking through my car this weekend.

It was good to see Dennis Fisher again … and he is just launching a new security news network called Threatpost. This effort is sponsored by Kaspersky and they have started off with a ton of stuff, so it’s worth checking out.

Now I am off to try and enjoy the weekend, so here it is- the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences:

  • Rich and Adrian presented Building a Business Justification for Data Security through SANS. We co-presented with Chris Parkerson of McAfee … and apologies to Chris as Rich and I ran a little long.
  • Adrian chatted with Amrit Williams on the subject of Information Centric Security on the Beyond The Perimeter podcast this week. It should be posted soon.
  • Adrian presented Data Breaches and Encryption last week during the Source Boston event.
  • Rich joined Martin McKeay on the Network Security Podcast this week, talking about Google behavioral ad targeting, Comcast passwords exposed, and the new DNS trojan. They were joined by Bill Brenner of CSO Online so you’ll want to check this one out!

Favorite Securosis Posts:

  • Rich: Adrian’s post on Immutable Log Files.
  • Adrian: My post on Sprint Data Leak… I try not to post on breaches as there are so many, but this has been so bad for so long that I could not help myself.

Favorite Outside Posts:

  • Adrian: Rafal’s post on the Fox News Fail … not for the original post, but the dialog afterwards.
  • Rich: Sure, we’re suckers for a plug, but Jeremiah posts a good list of recent web security related topics.

Top News and Posts:

Blog Comment of the Week: From Ariel at CoreSecurity …

Actually, Kelsey reinvented an idea that was previously exposed and published by Futoransky and Kargieman from Core ([1]) and implemented in the msyslog package ([2]) since 1996.

I learn something new every day! Now, if so many great security minds think this is a good idea, why does no one want this technology?

–Adrian Lane

Wednesday, March 18, 2009

Immutable Log Files

By Adrian Lane

I have been working on a project lately that I don’t really get to talk about much, but it is a technology that I am quite fond of: Immutable Log Files. For those of you who do not know what these are, immutable logs are log files protected from tampering and erroneous insertion. Depending upon the implementation, the files can have additional protections from poisoning and fictional recreation/forgery as well. There are many other names for this type of technology, such as content integrity verification, court admissible evidentiary data, incontrovertible data, and even “signed and sequenced” data. Regardless of name, the intent is to create a tamper-resistant archive of events. A high level overview of the process might look like the following:

Take a log entry, syslog for example, and add a time stamp and/or sequence number to that entry. Create a digital hash of the log entry to ensure integrity, and cryptographically sign it so you know the hash was produced by whatever authority is entrusted with managing the log. Now the log entry contains self-validating information as well. Each subsequent log entry would be bundled with one or more data points from previous log entries prior to creating the hash, to ensure that the sequence of events has not been altered. What you end up with is a chain of events that can be verified for data integrity.

There are many variants to this process that offer additional assurances, but that is the gist of it. I had the opportunity back in 1998 to implement a variant of this technology based upon what I consider to be ground-breaking work by John Kelsey, then of Counterpane. We had a specific problem with dispute resolution we needed to address in our e-Commerce system, and this paper describes both a generic approach to solving the problem, but also includes some references that were specific to our technology and not applicable to most needs. There are a few vendors that have advanced the state of the art in this area, but they largely go unnoticed by the security community at large. While this is a valuable technology for solving certain problems, it remains a rare feature.

I am writing this post as I have a request from both the security and the IT practitioner community. I am interested in knowing if you or your organization uses this type of technology today, or if it is something you have considered? If you are a product vendor and you are thinking about implementing such a technology as a competitive differentiator, I would greatly appreciate a heads-up. I am seeing some indications that this may be a requirement for government based upon the recent draft for tamper resistant syslog files by John Kelsey of NIST, J Callas of PGP, and A Clemm from Cisco, but the status of this draft work remains elusive. I have spoken with a half dozen security strategists who consider this a compelling solution to several different data integrity problems in the areas of eDiscovery and electronic data archival. If this is something you have interest in, please take a minute and post a comment or shoot me an email at alane at securosis with the obligatory dot and com postfix. I would very much like to know what your thoughts are.

–Adrian Lane

Tuesday, March 17, 2009

Securosis at RSA

By Rich

Ah yes, as spring approaches, so does Sundance for Ugly People (as a friend likes to call the RSA Security Conference).

We will, of course, be there. But unlike other years we have a little surprise brewing.

Schedule-wise I’m giving one track session, and participating in 3 panels:

  • Tuesday at 1:30 PM: Discover, Protect, and Securely Share Sensitive Corporate Data (panel on DLP/DRM/etc.).
  • Tuesday at 4:10 PM: “Groundhog Day” – History Repeats Itself (with Rothman, McKeay, Mortman and Ron Woerner- my favorite panel).
  • Thursday at 9:20 AM (those bastards, 9am?): Which Security Tools Take Priority in a Challenging Economic Climate? (panel with Shimel, Rothman, and… okay, sorry to leave someone off). Should be a hoot.
  • Friday at 10:10 AM: Disruptive Innovation and the Future of Security (With The Hoff. Flat out, this session is going to rock, and it’s worth changing your flight to stay for).

We’re still figuring out our schedule for non-official speaking slots. Priority goes to the paying clients (since we are totally… “professionals”… and need to pay for our post RSA rehab trip). We have a few slots open, but also some things on the table and are hoping to lock it down by next week (breakfast/lunch/mid-day stuff only, evenings are all tied up already).

Like many of you, we plan to fully participate in all the evening activities. If you’ve been to RSA before, you also know that comes at a price to be extracted the following morning. To ease your pain, on Wednesday we are sponsoring the Securosis Recovery Breakfast. For a few hours we’ll have an open buffet with all the required recovery tools (aspirin, Tums, activated charcoal administered by an expired paramedic). No presentations, subdued lighting, and loud noises prohibited.

We’ll be posting more details on it next week, and highly encourage you to RSVP so we can make sure we have enough food. The location will be extremely convenient, and we should have it locked down in the next couple of days.

And that’s it! We look forward to seeing everyone there, and if you want to meet, please hit us up as soon as possible so we can coordinate schedules.

–Rich

Monday, March 16, 2009

SANS Webcast Tomorrow - Business Justification for Data Security

By Rich

Hi everyone,

Just a quick note that tomorrow we’ll be giving a webcast about our research behind The Business Justification for Data Security paper we recently released. For those of you with too much ADD to read all 30+ pages, we’ll be covering all the core material and walking through an example case.

The webcast starts at 1pm ET, is with the SANS Institute, and is sponsored by McAfee; you can sign up here.

We’ll also have some time for Q&A, so this is your chance to dig in a little deeper with us.

On another note, we are very close to putting up the new version of the Securosis site- yes Virginia, pretty soon we’ll have more than a default WordPress template. As a consequence, our blog posts might be a little light this week. Don’t worry, the new site will make up for it.

–Rich

Sprint Customer Data Leaked … again

By Adrian Lane

Brian Krebs posted last week that Sprint is claiming an employee has stolen customer data, including pin numbers and the “security question” you can use to recover a password. This is a vendor I have been following for a long time, and I’m surprised we have not seen this type of activity before. From Brian’s blog:

“It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. We have terminated this employee. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your account.”

I wonder if they ever managed to remove the customer’s social security number as the primary key for their customer care database? It would appear that they did at least remove CC# and SSN# from the customer care application UI, which was my primary beef with them:

“We implemented a billing platform about a year ago that has advanced security features designed to catch things like an employee accessing information that they shouldn’t be,” Sullivan said. “That platform limits information that employees can access, such as Social Security numbers, and any sort of payment information.”

I have always considered Sprint lax in regards to their data security practices. They exposed my information before any breach notification laws were in effect, with my personal and billing information going to a third party. Worse, the person who obtained the data called customer care and was subsequently provided my SSN# and was able to shut off my account. Not sure what these “advanced security features” are exactly, but I would need to concede that the improvement must be working if the credit card numbers that they require for account creation were not stolen as well.

I really do wonder if (hope) this will prompt some form of internal investigation, and I always wonder if Sprint could be considered a contributor in this breach case if they provided employees far more data that was necessary to do their jobs. Think of it this way: If it was “thousands” of accounts, clearly the employee must have had access and been able to copy them electronically.

–Adrian Lane

Friday, March 13, 2009

No Friday Summary This Week

By Rich

Hi everyone,

With me adapting to the new baby and holding the fort here at Securosis Central, and Adrian out at the Source conference, I wasn’t able to get our usual weekly summary together.

But not to worry- we have a ton of news and announcements for next week, and some very big announcements over the next 2 weeks.

On that note, I’ll let you all get back to Happy Hour as I finish working on a presentation.

–Rich

Wednesday, March 11, 2009

Go Vote for the Social Security Awards

By Rich

No, we don’t mean vote for your favorite geriatric patriarch or matriarch, but for your favorite security blog.

200903111627.jpg

While I’m a little late posting this (I blame being distracted by the impending, then final, arrival of my incredibly cute daughter), there’s still plenty of time to vote. The awards are all part of the Security Blogger’s Meetup, which started as a little gathering put together by Martin and myself 3 years ago, and is now a pretty big & impressive event, with an actual budget. At least I think it’s impressive- it’s hard to remember after all the free booze.

The Social Security Awards were an idea Alan Shimel came up with to recognize the best security bloggers out there and continue to build our community. You can vote in the following categories:

  • Best Security Podcast
  • Best Technical Security Blog
  • Best Corporate Security Blog
  • Best Non-Technical Security Blog
  • Most Entertaining Security Blog

We’ll tabulate the votes, and then the final winners will be selected by our all-star panel of tech journalists. We’ll be having an awards ceremony at the meetup, and giving out prizes courtesy of Seagate (encrypted hard drives, of course).

Those of us on the organizing committee are excluded from the awards, so please don’t vote for me. Really, it wouldn’t be fair to all the other bloggers if I were competing anyway.

So go vote. Now. I know how many of you are out there reading, and if you don’t vote I’ll tell your mom.

Also, special thanks to Jennifer Leggio for doing nearly all the hard work putting this together.

–Rich