I was in the car the other day with one of the kids, and they asked me if I ever get lost. I have a pretty good sense of direction and have been able to read maps as long as I remember. I was probably compensating for my Mom’s poor sense of direction and my general anxiety at a young age about feeling lost. But it’s different today. With the advent of ever-present GPS and decent navigation, I can say it has been a long while since I have really been lost. I get misdirected sometimes, but that lasts maybe a minute and then I figure out my way. But these gadgets are no silver bullet.

A couple years ago I was doing a seminar tour and ended up in Detroit. I did my thing, got some sleep, and was ready to head out to the airport the next morning. The car was equipped with a GPS from the rental car company, so I hit the button to take me to the airport and started driving. About 40 minutes later, I started thinking something was screwy.

Then I got that feeling in the pit of my stomach, when I realized I selected the wrong airport in the GPS. I was driving in the wrong direction for over a half-hour and I was very unlikely to make my flight. And this was not the day to miss the flight. The Boss was leaving town and I had to get the kids from their various schools and activities. Of course, when I finally got to the right airport, all the flights back to Atlanta were booked up. I was totally screwed. So I paid a whole bunch of idiot tax and bought a first class seat on another airline. And I still had to call in a bunch of favors from friends and family to take the kids until I could get home. Feels like I’m still paying for that period of idiocy.

Let’s just say I double check every time I enter an address into a GPS nowadays.

But now let’s consider navigation metaphorically. We have technology that can help us get anywhere we want to go. It’s built into your car and you carry it in your pocket. But that doesn’t make it any easier to know where you should be going. And even when you get there, you are usually disappointed with the destination… Maybe it wasn’t everything you cracked it up to be. Sometimes the grass isn’t greener when you get there.

When I think about it and play out the metaphor a bit further, there’s another reason it has been a while since I was last lost. I guess at this point in my life, I don’t get lost because I’m not trying to get anywhere. I’m very fortunate to be in a situation where I can actually say that. And mean it. Given my cultural programming, it took me a long time to accept where I am and to not strive to get to where I’m not. There are some days I forget – I am human after all. But there is no GPS for life. That’s worth remembering.

–Mike

Photo credits: Hertz NeverLost III originally uploaded by Josh Bancroft

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. BYOD basics: I mentioned this briefly on the blog earlier this week but wanted to add a bit. ENISA released a great guide to getting started with BYOD. It is far more practical than most approaches I have seen, and includes links to a lot of public examples. One of key aspect is how the guide consistently addresses the issue of getting employee cooperation. You can’t hit BYOD with a hammer or you will just end up smashing your thumb. If the employee owns it, you need to entice them with benefits – not act as if you are doing them a favor by allowing them access to corporate email on their off hours. For more detail on the technology, I wrote a paper with a spectrum of options for protecting data on iOS. As a security guy I hate giving up control as much as anyone, but employees aren’t cattle and they need a fair deal or they’ll figure out a way around whatever you come up with. – RM
  2. Carnival of dysfunction: Leaking thousands of patient records is not news, – we have had a steady diet of leaks and breaches over the past decade. But the recent LA Times article on a couple who improperly stored some 300k patient records was interesting for the myriad levels of disfunction it describes. And it’s clear from comments by both the third party provider and Kaiser that they don’t understand data security. Couple that with the Times slant that small firms should never store sensitive data at home because it can’t be secure, and you have a carnival of dysfunction. This issue is not unique to Kaiser – most large enterprises engage small third party service providers because they offer a specific skill at low cost and are agile enough to adapt to market changes. But don’t expect them to know security, and don’t expect them to comply with requests for military-grade security or formal compliance processes. Companies should provide simple security controls that are both understandable and implementable by small firms. For example some full disk encryption, key management, and a dedicated computer for sensitive data would likely have been enough to meet electronic data protection requirements. Send activity logs back to Kaiser to show compliance. Simple steps would offer good protection while maintaining the benefits of small contractors. – AL
  3. The chosen hackers: It looks like the Israelis are taking a page out of the Chinese cookbook and starting to train smart kids in the art of hacking. You cannot develop a massive state-sponsored cyber-warfare capability overnight – you grow it organically. What’s surprising is that it’s being discussed publicly. Though I guess it gets back to the constant cycle of information/disinformation and trying to keep adversaries off balance. Now that I think about it, many countries have programs to identify and find promising Olympic athletes and give them an environment to become world class. Think gymnastics or ice skating, etc. Why shouldn’t some of these promising kids be identified and trained in technical skills from a young age? Yeah, it’s a slippery slope any way you look at it. And it will be a lot of fun in 15 years, when some unknown fraction of these folks become mercenary types offering their skillz to the highest bidders. – MR
  4. Another week, and more chicken little: While it could be said that no press is worse than bad press, it’s time for infosec to quit with the Chicken Little approach to reporting. Especially non-stories. The latest version of this comes hot on the tail of Elcomsoft’s release of The Next Web: Elcomsoft Forensic Disk Decrypter a few weeks ago. The newest “ZOMG U REKD DISK CRYPTO” comes from the Boing Boing story Inception: a tool for compromising the slumber of computers with full-disk encryption and introduces the absolute terror of FireWire direct memory access – even over Thunderbolt! Firewire DMA – 2004? How about Thunderbolt compromise over DMA? Everyone who was at DEFCON 19 (2011) and actually survived the Fail Panel will recall this being demonstrated by David Maynor on stage – and no, we’re not going to link to the video. Not only is it not safe for children, it’s not safe for anyone! How about we all agree on something simple? If the bad guy has physical access to your running computer, the bad guy owns it all – even if you have encryption. Go ahead and write that down now. If you’re deploying FDE, you need to set machines to hibernate rather than sleep, and you need to power down whenever you’re not using the machine. It’s not that hard, just DO IT! – JA
  5. Rejected: Wired’s post on Why Hackers Are So Much Funnier Than You raises the really good point that if you’re not willing to be ruthless in checking (error checking, secure code validation, behavioral modeling) your code prior to production, maybe QA departments should all run some form of Vigil. Deleting crap code and halting the project managers who are trying to push code out the door is not such a bad thing. Our own Mike Rothman does this to vendor marketing materials – if it doesn’t pass a sanity check across multiple disciplines it’s destroyed. In fact we see marketing and PR teams iterate through several concepts and levels of refinement before going live, contrasted with software development teams who seldom delete or rewrite anything. Could you imagine the outcry at deleting source code that sucked? A little public shaming by a cranky code checker – real or virtual – would go a long way towards improving the quality of code used by customers. – AL
  6. Microsoft’s FREE secret weapon: I don’t think enough people talk about Microsoft’s Enhanced Mitigations Experience Toolkit, probably thanks to its crappy name. You’d think MSFT could spend a little of those R&D billions on product naming, no? EMET allows you to apply some excellent exploit prevention capabilities on old operating systems and applications. You know, like that 10+ year old XP thing you can’t kill. TJ O’Connor at SANS shows how well this works in the real world. If you have to secure older applications, especially on Windows XP, I highly suggest you take a look at EMET and spend some time figuring out how to deploy it in your environment. Or keep your pooper scooper close to continue cleaning up the messes. – RM
  7. Tao for Dummies: Looks like Bejtlich is going to hibernate a little and crank out another book this year, Network Security Monitoring in Minutes. That’s great news, mostly because he’ll be simplifying much of his Network Security Monitoring content into a format for the masses. Okay, maybe not the real masses, but a less sophisticated audience. And not a minute too soon, as the concept of network visibility is clearly critical for dealing with today’s attacks and adversaries. Hopefully this is a precursor to a new generation of security books targeting a broader audience. If it’s too complicated folks won’t do it. We have learned that the hard way. – MR
Share: