Before we get to the Incite we should probably explain why it’s a day late. Like many other sites we have huge issues with PIPA and SOPA, so we took down our site yesterday in protest. We don’t expect the big companies with big lobbying budgets to give up, so we need to keep the pressure on. Copyright holders have a right to protect their content, but not at the cost of our freedom and liberty. Period. Now back to our regularly scheduled pot stirring.

Growing up I spent a lot of time in our den. It was a pretty small room, in a pretty small house, but it’s where the TV was. First it was a cabinet-style tube TV. Remember those? Yeah, you kids today have no appreciation for the TV repair man who showed up to fix your TV with a case full of tubes. Then we got a 15” model with cable, and my brother and I spent a lot of time in that room.

The furniture was pretty spartan as well. We had a chair and we had a couch. The couch was, uh, uncomfortable. A plaid model with fabric that was more like sandpaper. Not that microsuede stuff we see today. So amazingly enough, there was a lot of competition for the chair. I usually won. OK. I always won, mostly because I was older and a lot bigger. That may have been the only positive to having a childhood weight problem. I always got the chair. Even if my brother was there first. I’d just sit down. Yes, right on him. It didn’t take long for him to realize I wasn’t moving and my bulk wasn’t going to get any more comfortable.

After about the zillionth time I used this approach to get the chair, and my Mom got (justifiably) fed up with my brother crying about it, she instituted a new policy. You could call “my seat” once you entered the den, and you’d have to respect the call. Kind of like calling “shotgun” to sit in the front of the car. My brother may have been small, but he was quick. And more often than not, he beat me to the den and called the seat. I wasn’t happy about it, and when the babysitter was there I’d forget the rule. But inevitably I’d suffer the consequences when Mom got home.

So it was funny to see XX2 sit in the passenger side captain’s chair in the van over the weekend. That’s where XX1 usually sits. The little one had this look, like she ate a canary, sitting in that seat. XX1 was not happy at all. I’m not sure whether it was because she likes her seat or that XX2 got the best of her. So the squealing started. And I’m not too tolerant of squealing.

For a second I thought about instituting the my seat policy for the van. But that’s overkill for now. The girls don’t physically bully each other, and even if they did, I’m not sure XX2 wouldn’t win her fair share of battles. Though it did give me a chuckle to remember the old days of abusing my little bro. Speaking of which, it’s probably time to take him out to dinner, since I’m still running a huge karma deficit with him. Suffice it to say sitting on him was probably the nicest thing I did when we were growing up.


Photo credits: “I gotta get me one of these!” originally uploaded by sk8mama

Heavy Research

We have been busy blasting through process descriptions for the Malware Analysis Quant project. Here are the last week’s posts, which zero in on the Malware Proliferation subprocess:

You can find all the posts on the Project Quant blog. We have also finished up our Network-based Malware Detection series, so here is a link to the last post, on assessing the impact of the cloud. Yes, the forecast is cloudy. Ha ha.

As always you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.

Incite 4 U

  1. Revisiting the STRATFOR breach: Looks like Nick re-graded the folks at STRATFOR on their breach response and it went from a B- to a D-. Personally I think that’s too harsh, but ultimately it’s a subjective opinion and Nick is entitled to his. The key is constant communication, which STRATFOR failed at. It seems they spent the two weeks totally rebuilding their infrastructure, as they should have. I also liked the video from their CEO and agree it should have come earlier, if only to initially accept responsibility at the highest level. Then you communicate what you know as you can. I guess everything is relative and I personally think STRATOR did an okay job of response. You can always improve, and you should learn by what they didn’t do well, so you can factor that into your own response plans. – MR
  2. Unbreakably irresponsible: I think Adrian is going to cover the latest Oracle security flaw/patch in more detail, but I want to address a long-standing pet peeve I have with the big O. First, let’s give them credit for getting this out relatively quickly, even though it isn’t something that will (probably) affect a large percentage of Oracle customers. Then again, the ones most at risk tend to have 3-4 letter acronym names. Knowing that some flaws are ignored for years, it’s nice to see a relatively quick response – even if it may be due to the press being involved from the beginning. But that isn’t my peeve. You’ll notice that patches only go back a few versions for Oracle 10 and 11, and aren’t available for anything earlier. Oracle reps have told me (not that we talk much anymore) that they don’t believe a significant number of customers are running older versions. And if they are, since said versions are out of support, those customers are irresponsible for not upgrading. My quick Twitter check showed that older versions are still in wide use, sometimes for legitimate reasons such as packaged applications which don’t support newer versions. I really wish Oracle would do the right thing and be more realistic in their security support. – RM
  3. Risk models: I have heard, twice in the last month, that “Stolen credit cards numbers are losing their value as it’s harder to commit fraud, and therefore breaches are less of an issue since they cause less damage.” This hogwash came from a couple people closely associated with the PCI Council, in response to my recent research regarding the need to endorse tokenization. I don’t know why that statement bothers me so much, as I can’t rationally justify being this annoyed by simple vendor obstinance. I understand that from both the banks’ and card brands’ perspectives everything can be boiled down to a risk equation. As long as fraud rates remain below a tolerable threshold they don’t sweat the little stuff. Of course PCI-DSS effectively pushed a ton of liability onto merchants, and the global growth in credit card use means things are just peachy for the card issuers. The banks are still struggling a bit, but with better back-end fraud analytics they are likely to keep things under control as well. Or at least within their acceptable ‘shrinkage’ levels. So I have to admit that doing just enough remains the most efficient model, but I guess what bugs me is their continued reliance on good enough risk management models. That approach got the economy into a bit of trouble a couple years back. Remember that? I guess I am just not as comfortable with the risk levels as they are. – AL
  4. Monitoring Third Party sites (for your stuff): Most organizations don’t monitor nearly enough of their own stuff, so the idea of monitoring third-party sites for sensitive content is probably a pipe dream. But that doesn’t mean I can’t point you toward this great post on the /dev/random blog (h/t to @SecBarbie for the link) about how to set up your SIEM to monitor for content on pastebin, including scripts and regex patterns for use in your SIEM. Yes, that pastebin – but this is kinda-sorta like external DLP – you need to know what content you are looking for and where to look. It’s not a panacea, but if you know you are a target for the type of “chaotic actors” who habitually post their goodies on pastebin, it might not hurt to do some monitoring over there. Of course by the time you find something on pastebin you are already in a world of hurt, but it’s still useful to get a heads-up if you’re in the path of a 4-alarm fire. Before you get the visit from the FBI or Secret Service, anyway. – MR
  5. Googled, and not in a good way: Google’s sales team is being accused of pillaging a rival’s database to win business. While the method of access was not disclosed, it does not appear to have been a technical exploit, as they were actively using the CRM system. More likely Mocality lacked basic database security controls. After a decade of headline breaches, you might expect not to see basic database security failures, but this type of theft continues to happen – seemingly all the time! It happens when companies forget to lock down terminated employee accounts, or worse, use group login credentials for sensitive accounts and never change their passwords. We have even seen cases where unsecured application interfaces naturally expose database contents to Google’s search bots, providing the information to anyone who cares to search for it. Mocality is simply lucky their competitor was aggressive enough to reveal themselves. If you’re not taking these simple precautions and implementing basic security controls, know that this is happening to you too! – AL
  6. Loving your auditor: I have long believed that you need a good working relationship with your auditors. Most people think I’m an idiot because many auditors take themselves to seriously and dig in on stupid stuff, ensuring an adversarial relationship. One of the things I mapped out in the P-CSO was an approach to managing audits which I based on a few assumptions. First is that you and your auditor are on the same team. Second is that if you swallow your pride a bit you can actually learn something from an auditor, as they see many different environments. And that’s when most folks call me an idiot (again). A lot of those issues are highlighted in this lightweight piece on Dark Reading about ticking off your auditor. Basically, don’t be an ass. Be prepared. Don’t lie or misdirect. Why is this so hard? – MR
  7. When should security vendors disclose? If I weren’t tied up with other projects I’d do a full post on this one, but I am, so I can’t. This week it came out that Symantec themselves were breached in 2006, resulting in the release of source code. Not the Indian government ruse that was the initial speculation. This raises a couple questions – did Symantec know it at the time? If so, should they have disclosed? Losing source code itself doesn’t necessarily create risk for customers/users, but it certainly could. Ask RSA about that. And the article seems to indicate that at least some issues were patched. But I have to wonder if this is the same breach I started hearing rumors of last year. Not that it matters, but my general thought is that security vendors need to be more proactive in breach notification, due to the trust we place in them – even if the actual risk is low. But that is clearly me projecting my own ethics… I will leave it up to you all to let us know if you think I’m being too harsh. – RM
  8. Bonus Incite: Fortifying the UFO: Whenever a big company buys a small company, inevitably the senior folks from the target make their way to another start-up to do it all over again. According to the folks at TechCruch, AlienVault poached 7 folks from HP’s security group, formerly from Fortify. Clearly SIEM remains hot, and there are only a handful of independents left – including AlienVault, who sells a commercial version of the open source OSSIM. We know a few of the execs going over and they are good folks. It’s a good space, and as we have written, many organizations are considering SIEM replacements. But the entrenched leaders in this market are big and it’s a mature market. Is there room for innovation? Of course, but you’d think if they were going to poach HP execs, they might choose some with direct domain knowledge (they did buy ArcSight, after all) aside from the HR person. I’m just sayin’… – MR