There is lots I want to talk about this week, so I decided to resort to some three-dot blogging.
A few years ago at the security bloggers meet-up, Jeremiah Grossman, Rich Mogull and Robert Hansen were talking about browser security. After I rudely butted into the conversation they asked me if “the market” would be interested in a secure browser, one that was not compromised to allow marketing and advertising concerns to trump security. I felt no one would pay for it but the security community and financial services types would certainly be interested in such a browser. So I was totally jazzed when WhiteHat finally announced Aviator a couple weeks back. And work being what is has been, I finally got a chance to download it today and use it for a few hours. So far I miss nothing from Firefox, Safari, or Chrome. It’s fast, navigation is straightforward, it easily imported all my Firefox settings, and preferences are simple – somewhat the opposite of Chrome, IMO. And I like being able to switch users as I switch between different ISPs/locations (i.e., tunnels to different cloud providers ). I am not giving up my dedicated Fluid browsers dedicated to specific sites, but Fluid has been breaking for unknown reasons on some sites. But the Aviator and Little Snitch combinations is pretty powerful for filtering and blocking outbound traffic. I recommend WhiteHat’s post on key differences between Aviator and Chrome. If you are looking for a browser that does not hemorrhage personal information to any and every website, download a copy of Aviator and try it out.
* * *
I also want to comment on the MongoHQ breach a couple weeks back. Typically, it was discovered by one of their tenant clients: Buffer. Now that some of the hype has died away a couple facets of the breach should be clarified. First, MongoHQ is a Platform-as-a-Service (PaaS) provider, running on top of Amazon AWS, and specializing in in-memory Mongo databases. But it is important that this is a breach of a small cloud service provider, rather than a database hack, as the press has incorrectly portrayed it. Second, many people assume that access tokens are inherently secure. They are not. Certain types of identity tokens, if stolen, can be used to impersonate you. Third, the real root cause was a customer support application that provided MongoHQ personnel “an ‘impersonate’ feature that enables MongoHQ employees to access our primary web UI as if they were a logged in customer”. Yeah, that is as bad as it sounds, and not a feature you want accessible from just any external location. While the CEO stated “If access tokens were encrypted (which they are now) then this would have been avoided”, that’s just one way to prevent this issue. Amazon provides pretty good security recommendations, and this sort of attack is not possible if management applications are locked down with good security zone settings and restricted to AWS certificates for administrative access. Again, this is not a “big data hack” – it is a cloud service provider who was sloppy with their deployment.
* * *
It has been a strange year – I am normally “Totally Transparent” about what I am working on, but this year has involved several projects I can’t talk about. Now that things have cleared up, I am moving back to a normal research schedule, and I have a heck of a lot to talk about. I expect that during the next couple weeks I will begin work on:
- Risk-based Authentication: Simple questions like “who are you” and “what can you do” are no longer simple binary answers in this age of mobile computing. The answers are subjective and tinged with shades of gray. Businesses need to make access control decisions based on simple control lists, but simple lists are no longer adequate – they need to consider risk and behavior when making these decisions. Gunnar and I will explore this trend, and talk about the different techniques in use and the value they can realistically provide.
- Securing Big Data 2.0: The market has changed significantly over the past 14 months – since I last wrote about how to secure big data clusters – I will refresh that research, add sections on identity management, and take a closer look at application layer security – where a number of the known threats and issues persist.
- Two-factor Authentication: It is often discussed as the ultimate in security: a second authentication factor to make doubly sure you are who you claim to be. Many vendors are talking about it, both for and against, because of the hype. Our executive summary will look at usage, threats it can help address, and integration into existing systems.
- Understanding Mobile Identity Management: This will be a big one. A full-on research project in mobile identity management. We will publish a full outline in the coming weeks.
- Security Analytics with Big Data: I will release a series of targeted summaries of how big data works for security analytics, and how to start a security analytics program.
If you have questions on any of these, or if there are other topics you thing we should be covering, shoot us an email.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Mike Rothman: How to Detect Cloudwashing by Your Vendors. – Love how Adrian and Gunnar put a pin in the marketing hyperbole around cloud now. And brace yourself – we will see a lot more over the next year.
- Adrian Lane: The CISO’s Guide to Cloud: How Cloud is Different for Security. This is good old-fashioned Securosis research. Focused. A bit ahead of the curve. Pragmatic. Enjoying this series.
Other Securosis Posts
- Incite 11/13/2013: Bully.
- New Series: What CISOs Need to Know about Cloud Computing.
- How to Edit Our Research on GitHub.
- Trustwave Acquires Application Security Inc.
- Security Awareness Training Evolution [New Paper].
- Blowing Your Mind(fulness) at RSA 2014.
- Summary: Hands on.
- Defending Against Application Denial of Service: Abusing Application Logic.
- Defending Against Application Denial of Service: Attacking the Stack.
- Defending Against Application Denial of Service: Attacking the Application Server.
Favorite Outside Posts
- Mike Rothman: The generous skeptic. – I seem to link to Seth Godin a lot in the Summary. I guess he speaks truth – at least as I see it. This one is great for understanding who to accept feedback and (constructive) criticism from.
- Adrian Lane: The generous skeptic – me too. Does not happen too often, but Mike and I have the same external favorite this week. When I was analyzing the Trustwave acquisition of AppSec, this is exactly what was going through my mind. Good post.
Research Reports and Presentations
- Security Awareness Training Evolution.
- Firewall Management Essentials.
- A Practical Example of Software Defined Security.
- Continuous Security Monitoring.
- API Gateways: Where Security Enables Innovation.
- Identity and Access Management for Cloud Services.
- Dealing with Database Denial of Service.
- The 2014 Endpoint Security Buyer’s Guide.
- The CISO’s Guide to Advanced Attackers.
- Defending Cloud Data with Infrastructure Encryption.
Top News and Posts
- More than 800,000 accounts compromised in MacRumors Forums breach.
- Google’s Book-Scanning Is Fair Use, Judge Rules.
- Zero-Days Rule November’s Patch Tuesday via Krebs.
- Microsoft recommends customers stop using SHA-1.
- The CIA pays AT&T over $10 million a year for foreign call logs.
- Amazon AWS CloudTrail – API activity captured!
Blog Comment of the Week
This week’s best comment goes to Jessica, in response to Blowing Your Mind(fulness) at RSA 2014.
I look forward to this! I think it is important that we as security professionals turn to some of these real things for analysis. I think we often get stuck in a cycle of cynicism and spiral downward as we lament that no one cares about security or what we do. Thank you for bringing this forward as a talk!