Ever start a simple project – or perhaps ask for something simple to be done on your behalf – and get far more than you bargained for? Sometimes the seemingly simple things reach up and bite you. I was thinking about this two weeks ago, in the middle of some weekend gardening, expecting to tackle a small irrigation leak that popped up during the winter.
I went out to the yard with the handful of tools I would need and started scouting around the pool of standing water to locate the source of the leak, and I found it – more or less. It was buried under some mud, so before I could fix the leak I needed to remove the mud around the irrigation line. Before I could remove the mud I needed to remove the giant rat’s nest on top of the mud – stuffed full of Cholla. Literally. It apperas a rat ate the irrigation line and then used it as a private port-o-let. But in order to remove the rat’s nest I needed to remove the 45 lbs of prickly pear cactus that formed the roof of the rat’s nest. Before I could remove that cactus, I needed to remove the 75 lb Agave that arched over the prickly pear. Before I could get to the agave I needed to remove a dead vine. Before I could cut out the vine I need to remove some tree branches. Each step required a new trip to the garage to collect another tool. And so it went for the next three hours, until I finally found the line and fixed the leak.
When I finally finished that sequence I was rewarded with 30 minutes tweezing prickly pear micro-thorns from my fingers. What should have taken minutes took the entire morning, and left painful reminders. Which brings me to IT: those who provision data centers and migrate backbone business applications know exactly what this feels like – as I was reminded when I told a couple friends about my experience, and they laughed at me. That described their life. They deal with layers of operational, security, regulatory, and budgetary hurdles – mixed liberally with rat droppings – all the time. Someone asks for a small server to host a small web portal and before you know it someone is asking how PCI compliance will be addressed. Say what you will about cost savings being a driver for cloud services – simplicity (or at least avoidance of complexity) is a major driver too. Sometime it’s just better to have a third party do it on your behalf – and that comes (anonymously of course) from some IT professionals.
On to the Summary:
Favorite Securosis Posts
- Gal: Security FUD hits investors. HP bought ArcSight, right?
- Adrian Lane: Gaming the Narcissist. Fun read, and a topic to consider when weighing potential employers, but I’ll offer an alternative view: 1980 to 2008 was itself a wild period for company performance – see Warren Buffet’s speech from November 1999 for what I mean. I’d say Narcissist CEOs succeeded or simply ran off the tracks faster in that window.
- David Mortman: Should the Red (Team) be dead?
- Mike Rothman: Should the Red (Team) Be dead? Yup, it’s mine, but this one created a bit of discussion and even a comment by HD Moore…
Other Securosis Posts
Favorite Outside Posts
- Rich: Analyzing Malicious PDFs or: How I Learned to Stop Worrying and Love Adobe Reader (Part 1).
- Adrian Lane: Oracle Details Big Data Strategy. The FUD, it burns, it burns! My not favorite post this week – I recommend you, with your best Borat impersonation, yell not! after every quote and claim. It’s fun and more accurately reflects what’s happening in the big data market.
- Gal: Alleged Carberp Botnet Ringleader Busted. They’re doing it wrong: Rule #1. You’re supposed to steal from countries where you do not reside, and with whom your home country has no extradition treaty. Rule #2. Don’t steal tons of money from Russian and Ukranian banks regardless of where you live, but especially if you’re violating rule #1 and you live in Russia or Ukraine…
- Dave Lewis: Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight.
- Gunnar: Bitcoin – down ~50% in a day, first DDoS currency crash.
- David Mortman: Tor Hidden-Service Passive De-Cloaking.
- Mike Rothman: Who Wrote the Flashback OS X Worm? All of you aspiring security researchers can once again thank Brian Krebs for showing you how it’s done. And be thankful Krebs has figured out how to make a living from doing this great research and sharing it with us.
Project Quant Posts
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
- Defending Against Denial of Service (DoS) Attacks.
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
- Tokenization vs. Encryption: Options for Compliance.
Top News and Posts
- Security Lessons from the Big DDoS Attacks. A couple weeks old but I just saw it.
- Bitcoin crashes – lose 1/2 value.
- Vudu resets user passwords after hard drives lost in office burglary.
- DEA Accused Of Leaking Misleading Info Falsely Implying That It Can’t Read Apple iMessages.
- Windows XP still maintains 39% overall market share. Speechless.
- Windows XP Security Updates ending in one year. Update your calendars!
- North Korean military blamed for “wiper” cyber attacks against South Korea.
- Lessons from the Spamhaus DDoS incident.
- Microsoft Reportedly Adding Two-Factor Authentication to User Accounts.
- Google will fight secretive national security letters in court.
- FBI’s Smartphone Surveillance Tool Explained In Court Battle.
- IsoHunt Demands Jury Trial.
- Critical Fixes for Windows, Flash & Shockwave via Krebs.
Blog Comment of the Week
This week’s best comment goes to HD Moore, in response to Should the Red (Team) be dead?
It isn’t clear why Gene believes that CTF contests have any correlation to professional red teams. A similar comparison would be hackathons to software engineering. In both cases you approach the problem differently and the participants learn a different set of skills. CTFs are not how real red teams operate or vice-versa.
On the demand for security engineers and forensics professionals – we absolutely need more of them, but these folks need to be familiar with what actual attacks look like and how they are carried out. In a perfect world, every security professional would have a background that included both attack and defense.