I had a bit of a surreal experience earlier this week. Rich probably alluded to it a few times on the Twitter, but we are all as busy as we have been since we started the new Securosis 5 years ago. I m traveling like a mad man and it’s getting hard to squeeze in important meetings with long-time clients. But you do what you need to – we built this business on relationships, and that means we pay attention to the ones that matter.
So when a Monday meeting on the west coast is the only window you can meet with a client before an important event, you do it. I flew out Sunday and had a good meeting Monday. But there was a slight complication. I was scheduled to do the mindfulness talk with JJ at the ISC2 Congress Tuesday morning in Atlanta. I had agreed to speak months ago and it’s my favorite talk, so there was no way I was bailing on JJ.
That means the red-eye. Bah! I hate the red-eye. I have friends who thrive on it. They hate the idea of spending a working day in the air. I relish it because I don’t have calls and can mute the Tweeter. I get half a day of solid thinking, writing, or relaxing time. With in-flight networking I can catch up on emails and reading if I choose. So I can be productive and compensate for my challenges sleeping on planes. If I get a crappy night’s sleep the next couple of days are hosed, and that’s not really an option right now.
Thankfully I got an upgrade to first class, which is about as rare as sniffing unicorn dust. I poured my exhausted self into my first-class seat, plugged in my headphones, and slept pretty well, all things considered. It wasn’t solid sleep, but it was sleep. When we landed in ATL I felt decent. Which was a lot better than I expected. So what now?
Normally I’d get in the car and drive home to get all pretty for the conference. But that wouldn’t work this week because I needed to be in another city Tuesday afternoon, ahead of another strategy day on Wednesday. I didn’t have time to go home, clean up, and then head back downtown for my talk. I made some calls to folks who would be at the ISC2 conference and was graciously offered the use of a shower. But that would involve wading into some man soup in a flop room, so I was grateful for the offer, but kept looking for alternatives.
Then I realized the ATL airport has showers in some of its Sky Clubs. So I trudged down to the International Terminal and found a very spacious, comfortable changing room and shower. It was bigger than some hotel rooms I’ve had in Europe. I became a stranger in my own town. Showering up at my home airport to do a talk in my city before heading back to the airport to grab another flight to another city. The boy told me it was cool to be in 3 cities in less than a day. I told him not so much, but it’s what I do.
It’s a strange nomadic existence. But I’m grateful that I have clients who want to meet with me, and a family who is understanding of the fact that I love my job…
–Mike
Photo credit: “Darth Shower” originally uploaded by _Teb
The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.
Securosis Firestarter
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- September 16 – Apple Pay
- August 18 – You Can’t Handle the Gartner
- July 22 – Hacker Summer Camp
- July 14 – China and Career Advancement
- June 30 – G Who Shall Not Be Named
- June 17 – Apple and Privacy
- May 19 – Wanted Posters and SleepyCon
- May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling
- May 5 – There Is No SecDevOps
- April 28 – The Verizon DBIR
Heavy Research
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
Security and Privacy on the Encrypted Network
Secure Agile Development
- Building a Security Tool Chain
- Process Adjustments
- Working with Development
- Agile and Agile Trends
- Introduction
Trends in Data Centric Security
Newly Published Papers
- The Security Pro’s Guide to Cloud File Storage and Collaboration
- The 2015 Endpoint and Mobile Security Buyer’s Guide
- Open Source Development and Application Security Analysis
- Advanced Endpoint and Server Protection
- Defending Against Network-based DDoS Attacks
- Reducing Attack Surface with Application Control
- Leveraging Threat Intelligence in Security Monitoring
- The Future of Security
Incite 4 U
- Gorillas in the mist: In case you missed it, was another important vulnerability was disclosed last week, aside from Shellshock. It was a flaw with the network security library used by Firefox and Google’s Chrome that allows an attacker to create forged RSA signatures to confuse browsers. In practice someone can fake a certificate for eBay or Amazon – or any other SSL connection – and act as a man-in-the-middle, collecting any private data sent down the pipe. You’d think that we would have beaten on SSL libraries enough to uncover these types of flaws, but just as with the
bash
shell vulnerability we will be discussing critical vulnerabilities in foundational pieces of the Internet for a very long time. Now go update your browsers. – AL - You have a plan – now what? Some more survey magic here – the Ponemons have figured out that just because an organization has an incident response plan doesn’t mean they are actually equipped to respond to incidents. There is a lot more to it, and without throwing around the arbitrary, I mean ‘survey’, numbers. let’s just say it takes a real commitment of people, process, and technology to get good at IR/M (Incident Response and Management). Oh yeah, and a lot of practice – fortunately, as we all know, there is no lack of practice for IR/M teams nowadays. But I don’t want to be a wet blanket – it is good to see more organizations with plans and IR/M teams. The point is that’s only the beginning of the story. It needs to be written, implemented, and evolved over a long period. – MR
- Sharing intel: With each indictment of (mostly) financially motivated attackers around the world, we see proof of better global collaboration among law enforcement. Interpol is stepping up its efforts by putting a new facility in Singapore as the coordination point for Asian cyber-collaboration among public and private entities. This is great because when countries become less territorial and work together more, it becomes much harder for attackers to escape the increasingly long arm of the law. Of course history shows that over time law enforcement becomes more territorial and less collaborative, so it is a bit early to declare victory, but this is a clear step in the right direction. – MR
- Scrupulously dishonest: “When they are talking, they are lying and when they are quiet they are stealing,” was a phase I first heard used by Berkshire Hathaway’s co-chair Charlie Munger to describe Congressmen Jay Gould and Russell Sage. But I find it highly applicable to the FBI chief’s recent claim that Apple and Google’s new cell phone encryption allows people to put themselves above the law – playing the old and familiar kidnapping and terrorist trump cards as reasons we cannot have data security. Side-stepping the obvious problem of a key US law enforcement officer who is evidently unaware of the Constitution’s affirmation of privacy and human liberty, we need strong encryption to protect the basic infrastructure we rely upon. As we use our devices for health and fitness, for payments and finance, for family relations and whatever else we want to do, bad security serves criminals as well as law enforcement. If data – cloud or mobile – can be compromised by the US government, it will inevitably also be compromised by others for whatever purposes they deem necessary. That is unacceptable. – AL
- Following the money: It was just a matter of time before Kevin Mitnick started really trading on his name and selling zero-day exploits. He claims to leverage both in-house research and external attackers to sell guaranteed exclusive attacks priced at no less than $100,000. This is a guy who gets something like $10k to sign books, so it’s not surprising he’d pump up the prices with some Mitnick inflation to sell exploits. As smarmy as it feels, it’s probably a good idea. Anonymous attackers can leverage Mitnick’s reputation, and he gets to skim a bunch off the top for interesting attacks. Who he will ultimately sell exploits to is a slippery slope, but Kevin seems to know how to make money, so odds are it will be lucrative with some moral ambiguity thrown in for good measure. – MR
Comments