Travel is an occupational hazard for industry analysts. There are benefits to meeting face to face with clients, and part of the gig is speaking at events and attending conferences. That means planes, trains, and automobiles. I know there are plenty of folks who fly more than I do, but that was never a contest I wanted to win. As long as I make Platinum on Delta, I’m good. I get my upgrades and priority boarding, and it works.

With the advent of TSA Pre-check, I’m also exposed to a lot less security theater. Sure there are airports and terminals where I still need to suffer the indignity of a Freedom Fondle, but they are few and far between now. More often I’m through security and on my way to the gate within 5 minutes. So the travel is tolerable for me.

Last weekend, I took The Boy on a trip to visit a family member celebrating a milestone birthday. It was a surprise and our efforts were appreciated. To save a little coin, we opted for the ultra low-cost Spirit Airlines. So we had to pack everything into a pair of backpacks, as I’ll be damned if I’ll pay $35 (each way) to bring a roller bag. But we’re men, so we can make due with two outfits per day and only one pair of shoes. Let’s just acknowledge that if the girls were on the trip I would have paid out the wazoo for carry-on bags.

The Boy doesn’t like to fly, so I spent most of the trip trying to explain how the plane flies and what turbulence is. He’s 9 so safety statistics didn’t get me anywhere either. So I resorted to modern day parenting, pleading with him to play a game on his iPod touch. We made it to our destination in one piece and had a great time over the weekend. Though he didn’t sleep nearly enough, so by Sunday morning he was cranky and had a headache. Things went downhill from there.

By the time we got to the airport for our flight home he was complaining about a headache and tummy ache. Not what you want to hear when you’re about to get on a plane. Especially not after he tossed his cookies in the terminal. Clean up on Aisle 4. He said he felt better, so I was optimistic he’d be OK. My optimism was misplaced.

About 15 minutes after takeoff he got sick again. On me. The good news (if there is good news in that situation) is that he only had Baked Lays and Sprite in his stomach. Thankfully not the hot dog I had gotten him earlier. The only thing worse than being covered in partially digested Lays is wearing hot dog chunks as a hat. Not sure what about a hot dog would have settled his stomach, and evidently I wasn’t thinking clearly either.

I even had the airsick bag ready at hand. My mistake? I didn’t check whether I could actually open the bag, as it was sealed shut with 3-4 pieces of gum. Awesome. The flight attendants didn’t charge me for the extra bags we needed when he continued tossing his cookies or the napkins I needed to clean up. It was good that plastic garbage bags were included in my ultra-low-cost fare. And it was a short flight, so the discomfort was limited to 90 minutes.

The Boy was a trooper and about midway through the flight started to feel better. We made it home, showered up, and got a good story out of the experience. But it reminded me how much easier some things are now the kids are getting older. Sure we have to deal with pre-teen angst and other such drama, but we only get covered in their bodily fluids once or twice a year nowadays. So that is progress, I guess.

–Mike

Photo credits: Puking Pumpkin originally uploaded by Nick DeNardis

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Building an Early Warning System

• External Threat Feeds
• Internal Data Collection and Baselining

Understanding and Selecting an Enterprise Key Manager

• Management Features
• Technical Features, Part 2
• Technical Features, Part 1

Newly Published Papers

• Implementing and Managing Patch and Configuration Management
• Defending Against Denial of Service Attacks
• Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments
• Pragmatic WAF Management: Giving Web Apps a Fighting Chance

Incite 4 U

1. Privacy is still dead. Next. It’s amazing to me there is still pushback about decrypting SSL on outbound traffic in a corporate environment. It’s like the inmates are running the asylum. Folks complain about privacy issues because you can look at what pr0n sites they are perusing during work. Even when you tell them you are monitoring their stuff, ostensibly to look for proof of exfiltration. Don’t these folks realize that iPads on LTE are for pr0n anyway? Not that I’d know anything about that. Maybe set up an auto-responder on email and point folks directly to your Internet usage policy when they bitch about web monitoring. Unless you are in a country that doesn’t allow you to monitor. Then just reimage the machine and move on. – MR
2. Out with a whisper: In the past many database exploits required active usage of credentials to exploit a vulnerability. And there were almost guaranteed to be available as most databases came pre-configured with test and ‘public’ accounts, which could be leveraged into administrative access with the right credentials. For the most part these easy to access credentials have been removed from out-of-the-box configurations and are much less likely to be accessible by default. Any DBA who runs configuration assessments will immediately see this type of access flagged in their reports, and it’s very easy to address. This week some serious bugs in MySQL were announced – but the most serious (a memory stack overflow) required credentials to exploit. So you need to first find a flaw in the database configuration to exploit this flaw in the database implementation – which means you might be really screwed if you screw up access controls. Yeah. The risk is low, but only if you get basic security right. – AL
3. Defining the competition: There is an old truism in sales and marketing, that if you get to define your competition you will win every time. So when I see an Imperva study that says AV is a waste of money, clearly they are heeding that advice. Their point is that no AV solutions found identified new malware samples when run through a testing service (like VirusTotal). Duh. The malware writers always test their stuff now through these services to make sure they can’t be detected. But if an organization uses traditional AV as their only malware control they deserve to get pwned. To be clear AV is rarely packaged alone, and the other endpoint protection controls do make the products suck a bit less. Advanced attacks require new tactics, as our pal George Hulme reports. But the point here is the one about compliance. Regardless of how much AV sucks, it doesn’t matter. As long as compliance regulations mandate it, it will be a multi-billion dollar market. – MR
4. There can be only one: I still tell friends and family to not do banking online. I throw a half dozen good reasons why their personal PC and specifically their browser is suspect. Partially it’s to shock them into understanding they are vulnerable and at least consider some security. When I get the “Wha … wha … what? I’m not safe?” response I volunteer that if you must bank online, you need a dedicated browser to avoid attacks like cross site scripting, such as PayPal addressed this week. It’s ironic that I was on the phone with PayPay support last week because I could not use my dedicated browser with PayPal – some change in PayPal broke my browser of choice. The jovial PayPal support reps saying “Just use IE” are either totally ignorant of the security issues, or had been advised that commerce comes first. They essentially suggest you disable the ability to protect yourself. Most people lack the ability, discipline, or desire to change to more secure behavior. Browser based attacks du jour will continue until a different non-browser payment avenue is provided. Perhaps that’s a driver for dedicated mobile apps? – AL
5. Policy pen testing: Loved this post by Ben Rockwood about the importance of policy, really on the necessity for rules. He uses a very cute story about his son describing things via a process to make the point that he’s anal about process and that’s because without rules of engagement no one really knows what they should be doing. Same deal in security, but be careful when setting up those policies. Remember the key ground rules – especially about being simple and relevant. But most of all they need to be consistent and incent the right behavior. I can’t tell you how many times I have seen policies work very well but with unintended consequences. So do yourself a favor and build your own threat model on the policy. If you wanted to get around it, how would you do that? Can it be gamed? What is the impact of that? Remember, you are trained to find holes in stuff. Even your own policies. – MR