Friday Summary: June 22, 2012By Adrian Lane
I have been wanting to write a bunch of blog posts for the last few weeks. No, not the heavy research work we have been in up to our eyeballs, but about some of the strange and interesting stuff currently been reported. We used to do a lot more commentary and I miss it. I have a little time this Friday, so I though I would comment on a few of the past week’s articles I think warrant discussion – in many ways as interesting for what was not discussed. Here we go:
Which leads to the second post I found very interesting, on Bruce Schneier’s site, called Apple Patents Data-Poisoning. It appears that the US Patent and Trademark Office believed that poisoning profile data was novel and granted Apple’s patent request. In 2004/2005 I used to provide prospective customers for database activity monitoring a demo script to run against competitive products. The script would simply push SQL queries to both real and non-existent databases over the network. None of the queries would execute successfully because they we not actually part of an active database session. But competitors’ network monitors only looked for SQL queries on any known database port – without regard for whether they were actually going to a database – the monitor would capture all this fake activity. I could poison competitors’ logs with bogus activity, or flood it with false positives. It was a terribly effective way to demonstrate how early database monitoring products that watched network activity sucked. But I would never have tried to patent that idea – it feels like trying to patent network packets: good packets and bad packets are just normal network traffic. Similarly I would not patent my attempts to create “False Adrian” by showing non-random but totally bogus interest in products or services to see what sort of anti-profile I can create, a hobby I have been experimenting with on and off since 2006. This seems like a patent awarded for “urinating on the floor”, or anything else that occurs naturally but fails to identify genuine user intent. From an intellectual property standpoint, I hate to think someone could patent something like this. But from a product standpoint, if Google (and other marketing firms) surreptitiously capturing all your activity for profit pisses you off, would you buy an Apple product that poisons your activity trail? I would. A cloud based iRandomizer for browser traffic over an encrypted tunnel would be ideal!
Finally, a post on MSNBC said some hacked firms are “fighting back” by hacking the hackers. Forgive me, but ‘Cloudstrike’ has a very Team America feel to it; well-intentioned but wide of the mark. First, there is a big difference between “active defense” and “strike-back” capabilities. Active defense is not an attack against hackers – it is an active scan of activities on the Internet for clues that someone is, or is about to, launch an attack against your site. Something like the CIA or NSA gathering intelligence to detect someone plotting a terrorist attack. Some large firms use this type of service for advance notice, and they hope to get an early start on their response, whatever it is. But “strike back” capabilities are totally different, and the goal of damaging an alleged attacker would certainly be outside the law. I doubt any of these plans will be effective – the New School blog raises the same question in Active Defense: Show Me the Money. The concept seems well intentioned – some of you are probably unaware that a handful of recent electronic attacks against major companies have been accompanied by physical threats against employees. So I get the desire to induce the same fear in hackers, but it seems unlikely to work, and it’s definitely illegal. Really, you can either locate the attacker(s) or you can’t, but if you can you have a good possibility of scaring them with law enforcement. Otherwise you’re pretty much out of luck. I know some attacked firms have conducted reconnaissance and analysis to help law enforcement locate the attacker, but that seems like the reasonable limit of effectiveness for counter-strike computer security.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich quoted on the Security Generation Gap.
- Mike quoted on the “Renaissance Information Security Professional”.
Favorite Securosis Posts
- Rich: Mike’s latest on endpoint malware trade-offs.
- Mike Rothman: The Four Enterprise Key Management Strategies. Hope y’all are refreshing your encryption knowledge. With this cloud stuff, good old crypto will be everywhere. Lucky for you Rich is documenting a lot of what we’re finding out there. Bob and Alice FTW.
- Adrian Lane: Choosing Your Key Management Strategy. This is the heart of the series.
Other Securosis Posts
- Incite 6/20/2012: That Smell.
- New Paper: Implementing and Managing a DLP Solution.
- Evolving Endpoint Malware Detection: Controls, Trade-offs and Compromises.
- Understanding and Selecting Data Masking: Use Cases.
- Friday Summary: June 15, 2012.
Favorite Outside Posts
- Rich: The Top Mistakes Companies Make In Data Breaches. The opening to this article is pretty bad, but the actual advice is spot on.
- Adrian Lane: Professional Services Engineer or Surly Gifted-and-Talented Teenager? Very funny post comparing teens to support engineers.
- Mike Rothman: InfoSec isn’t for you. Nice little post here from PacketKnife listing some good indicators that security isn’t for you. My favorite? “you search for the obvious instead of the truth”. Well said.
Project Quant Posts
- Malware Analysis Quant: Index of Posts.
- Malware Analysis Quant: Metrics –Monitor for Reinfection.
- Malware Analysis Quant: Metrics –Remediate.
- Malware Analysis Quant: Metrics –Find Infected Devices.
- Malware Analysis Quant: Metrics –Define Rules and Search Queries.
- Malware Analysis Quant: Metrics –The Malware Profile.
- Malware Analysis Quant: Metrics –Dynamic Analysis.
Research Reports and Presentations
- Implementing and Managing a Data Loss Prevention Solution.
- Defending Data on iOS.
- Malware Analysis Quant Report.
- Report: Understanding and Selecting a Database Security Platform.
- Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform.
- Watching the Watchers: Guarding the Keys to the Kingdom.
- Network-Based Malware Detection: Filling the Gaps of AV.
Top News and Posts
- Survey Says – Security Spending Going Up, Up, Up.
- US-CERT discloses security flaw in Intel chips.
- The Biometric Wallet.
- Google says the Internet is dangerous. Uh, yeah, I guess it is. But bogus Google Safe Browsing stats – you know, the ones that have been flagging legit sites – are not a good indicator.
- New iOS won’t support original iPad.
- Return Oriented Exploit code finalists – Microsoft.
- Virus Purloins Blueprints.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. But this week we received no comments.