Friday Summary: January 14, 2010By Rich
As I sit here writing this, scenes of utter devastation play on the television in the background.
It’s hard to keep perspective in situations like this. Most of us are in our homes, with our families, with little we can do other than donate some money as we carry on with our lives. The scale of destruction is so massive that even those of us who have worked in disasters can barely comprehend its enormity. Possibly 45-55,000 dead, which is enough bodies to fill a small to medium sized college football stadium. 3 million homeless, and what may be one of the most complete destructions of a city in modern history.
I’ve responded to some disasters as an emergency responder, including Katrina. But this dwarfs anything I’ve ever witnessed. I don’t think my team will deploy to Haiti, and every time I feel frustrated that I can’t help directly, I remind myself that this isn’t about me, and even that frustration is a kind of selfishness.
I’m not going to draw any parallels to security. Nor will I run off on some tangent on perspective or priorities. You’re all adults, and you all know what’s going on. Go do what you can, and I for one have yet another reason to be thankful for what I have.
This week, in addition to Hackers for Charity, we’re also going to donate to Partners in Health on behalf of our commenter. You should too.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading article on Database Discovery.
- Securosis takes over the Network Security Podcast.
- Rich, Mike, and Adrian interviewed by George Hulme of Information Week on Attaining Security in the name of compliance.
- Adrian’s article in Information Security Magazine on Basic Database Security: Step by Step.
- Rich’s series of Macworld articles on Mac security risks.
- Rich was a judge for the top 10 web hacking techniques of 2009. The judging gets harder every year.
- Pepper wrote a piece on scheduling Mac patching over at TidBITS.
Favorite Securosis Posts
- Rich: Database Password Pen Testing.
- Mike: FireStarter: The Grand Unified Theory of Risk Management – Great discussion on how risk management needs to evolve to become relevant.
- Adrian: Rich’s post on Yes Virginia, China Is Spying and Stealing Our Stuff.
- Meier: Yes Virginia, China Is Spying and Stealing Our Stuff - Maybe we can combine the idea behind the Mercenary Hackers post with Rich’s idea to hack China back. Adobe would be all smiley emoticon for sure.
- Mort: Low hanging fruit in network security.
Other Securosis Posts
- Management by Complaint.
- Pragmatic Data Security: Introduction.
- Incite 1/13/2010: Taking the Long View.
- Revisiting Security Priorities.
- Mercenary Hackers.
Favorite Outside Posts
- Rich: I’m going to cheat and pick some of my own work. I don’t think I’ve seen anything like the Mac security reality check series I wrote for Macworld in a consumer publication before. It’s hopefully the kind of thing you can point your friends and family to when they want to know what they really need to worry about, and a lot of it isn’t Mac specific. I’m psyched my editors let me write it up like this.
- Mike: Shopping for security – Shrdlu gets to the heart of the matter that we may be buying tools for us, but there is leverage outside of the security team. We need to lose some of our inherent xenophobia. And yes, I’m finally able to use an SAT word in the Friday Summary.
- Adrian: On practical airline security. It’s weird that the Israelis perform a security measure that really works and the rest of the world does not, no? And until someone performs a cost analysis of what we do vs. what they do, I am not buying that argument.
- Mort: Why do security professionals fail?.
- Meier: Cloud Security is Infosec’s Underwear Bomber Moment – Gunnar brings it all together at the end by stating something most people still don’t get: “This is not something that will get resolved by three people sitting in a room… …it requires architecture, developers and others from outside infosec to resolve.”
- Pepper: Google Defaults to Encrypted Sessions for Gmail, by Glenn Fleishman at TidBITS. AFT!
Project Quant Posts
Top News and Posts
- Dark Reading on the Google hack by China. A lot of good, important information in here.
- Another Week, Another GSM Cipher Bites the Dust.
- Adobe hack conducted via 0-day IE flaw.
- Do security pros need a little humble pie?
- Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It. Amrit does it again – funny, snarky, and all too true
- Insurgent Attacks Follow Mathematical Pattern.
- I’m sorry but we blew up your laptop (welcome to Israel). I want to know a) why they thought the laptop was a danger, and b) why they thought the screen (rather than the hard disk) was the dangerous part.
Blog Comment of the Week
Adrian, I believe that #3 is feasible and moreover easy to implement technically. The password algorithms for all major database vendors are known. Retrieving the hashes is simple enough (using a simple query). You don’t have to store the hashes anywhere (just in memory of the scanning process). With today’s capabilities (CUDA, FPGA, etc.) you can do tens of millions of password hashes per second to even mount brute-force attacks.
The real problem is what do you do then? From my experience, even if you find weak passwords, it will be very hard for most organizations to change these passwords. Large deployments just do not have a good map of who connects to what and managers are afraid that changing a password will break something.