Incite 3/18/2014: Yo Mama!By Mike Rothman
It’s really funny and gratifying to see your kids growing up. Over the weekend XX1 took her first solo plane trip. I checked her in as an unaccompanied minor, and she miraculously got TSA Pre-check. Of course that didn’t mean I did with my gate pass. So the TSA folks did their darndest to maintain the security theater, and swabbed my hands and feet.
We had some time so I figured we’d hang out in the airline club. Not so much. I have access to the SkyClub via my AmEx Platinum card, but evidently I have to be flying. So we got turned away at the door. Really? Total fail, Delta. And your club receptionist was mean. But I had XX1 with me, so I mumbled some choice words under my breath and just let her mention that person wasn’t nice.
Then the gate agent called for her, and after a quick goodbye… Okay, not so quick – no goodbye is quick with XX1 – she headed down the jetway and was gone. Of course I got dispatches every 10 minutes or so via text. So I knew when her bag was in the overhead bin, when she got a refreshment, how much she was enjoying Tower Heist on the iPad, when the plane was loaded, and finally when she had to shut down her phone. She made it to her destination in one piece, and met Grandma at the gate. Another milestone achieved.
Then on Saturday morning I had the pleasure of taking the boy to breakfast. His sports activities (tennis and LAX) weren’t until afternoon so we had some boy time. As we were chatting I asked him about his friends. He then launched into a monologue about how all his friends tell Yo Mama! jokes now. He even had some pretty funny ones ready to go. He asked me if I had heard of those kinds of jokes. I just had to chuckle. You know those kids today – they invented everything.
Though how they get their material is radically different. It seems they get the jokes on YouTube and then tell them to each other the next day at school. I had to actually read joke books to get my material and my delivery wasn’t very good. It seems to be in good fun, for now. I remember getting into fights with kids over those kinds of jokes, mostly because they weren’t really intended to be joking. And it’s a bit strange to think the Boss is the Mama in question, and at some point he may need to defend her honor. Although the Boy is pretty mild-mannered and very popular, so it’s hard to envision someone telling a joke to get a rise out of him.
All the same, the kids are growing up. And unaccompanied plane rides and Yo Mama! jokes are all part of the experience.
Photo credit: “Yo Mama’s Sign” originally uploaded by Casey Bisson
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- March 11 – RSA Postmortem
- Feb 21 – Happy Hour – RSA 2014
- Feb 17 – Payment Madness
- Feb 10 – Mass Media Abuse
- Feb 03 – Inevitable Doom
- Jan 27 – Government Influence
- Jan 20 – Target and Antivirus
- Jan 13 – Crisis Communications
2014 RSA Conference Guide
In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
Advanced Endpoint and Server Protection
Newly Published Papers
- Reducing Attack Surface with Application Control
- Leveraging Threat Intelligence in Security Monitoring
- The Future of Security
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7
- Eliminating Surprises with Security Assurance and Testing
- What CISOs Need to Know about Cloud Computing
Incite 4 U
Pwn to Pwn: Our friend Mike Mimoso has a great summary of the annual Pwn2Own contest at CanSecWest. This is the one where prizes are paid out to researchers who can crack browsers and other high-value targets (all picked ahead of time, with particular requirements). The exploits are bought up and later passed on to the affected vendors. As usual, all the products were cracked, but the effort required seems higher and higher every year. This level of exploitation is beyond your usual script kiddie tactics, and it’s nice to see the OS and browser vendors make practical security advances year after year. On the downside, BIOS and firmware hacking are going beyond scary. I really feel bad I haven’t made it to CanSecWest (usually due to work conflicts so close to RSA), but I think I need to make it a priority next year. It’s a great event, and a powerful contributor to the security community. – RM
PCI is relevant. Really. It’s just those careless retailers: I’m in the air right now so I can’t check the TripWire folks’ interview with the PCI Standards Council’s Bob Russo at RSA, but some of the quotes I have seen are awesome. “People are studying for the test. Passing the compliance assessment and then leaving things open. They’re being careless,” said Bob Russo. Man, that is awesome. The standards are great – the retailers are just careless. Really? To be clear, Target was careless, but nowhere in the PCI standards do I see anything about locking down third-party access to non-protected information. Or having a network-based malware detection device to detect malware before it exfiltrates data. How about this one? “Russo said it appears the companies affected were covered one way or another in the PCI standards. But if they learn something new, then they will update the standards accordingly.” So they will update the standards in 3 years? That’s how long it takes to implement any change. Listen, I’ll be the first to say that PCI helped 5 years ago. But today its low bar is just too low. – MR
To PIN or not to PIN: If you still don’t believe us that PCI-DSS is just one of many liability-shifting games to improve banking profits, consider Visa and Mastercard’s recent announcement that they will market EMV ‘smart’ payment cards in the US. They want smart cards, but no PIN numbers to validate users – instead they intend to use the same signature-based system we have today. The National Retail Federation has jumped into the fray, saying Easy-to-forge signatures are a virtually worthless form of authentication. Fraud rates with mag-stripe cards in the US are a serious problem, and Chip and Pin style cards have proven to reduce fraud from card cloning and in-person misuse. So what’s the problem? The gripe is that the cards, along with the required systems to set up digital signatures on them, cost about ten times as much – but the real worry is that customers won’t use them. The issuers argue that setting a PIN is too much hassle so people won’t use the cards at all. They believe overall transaction volume would fall off – a no-no for the card brands. Credit cards are a proven financial lubricant, and they consider reductions in usage levels much worse than fraud. But under the shadow of never-ending breaches I suspect we will now get ‘chipped’ cards without PINs. At least for a while. – AL
DDoS goes to 11: We have been hearing a bit less about Distributed Denial of Service attacks (DDoS) recently. Not because they aren’t happening, but many targets are getting better at defending against them and keeping their systems available. But the adversaries are evolving their tactics as well using amplification techniques. So as the fellows from Spinal Tap would say, “This attack goes to 11!” The OpenDNS Lab folks describe DNS amplification attacks in a blog post, with a good overview of the techniques. And they are in a good position to know what’s going on with DNS. Timing is everything, right? I am starting a network DDoS blog series so I will be covering a lot of these topics as well. Keep an eye out for that. – MR
So bad it’s good: Despite the poorly written post, unfiltered vendor hype, and the even-more-horrific term “data lake”, there is something very cool going on with XACML based permissions for big data queries. The real story is the ability to retrofit fine-grained authorization mapping into big data queries. This means that you can implement attribute based authorization – not just typical role-based access controls – without modifying the application! Control down to the data element level is possible, but implemented as a proxy between the application and the database. Note that this does not protect data at rest and assumes that you route queries through a proxy, and you need to actually know what is in your big data repository. But regardless, it is a a viable approach to fine-grained authorization controls for big data clusters. For those identity geeks out there who were skeptical about the adoption of XACML, it just may sneak in through the back door. – AL
Chasm jumping unicorns? Gene Kim has a great post on DevOps.com asking whether DevOps can cross the chasm to mainstream enterprises (disclosure: I’m on the DevOps.com advisory board). Gene, you may recall, wrote The Phoenix Project about the power of DevOps. I’ll be honest: I am biased. But I do believe DevOps operational frameworks can increase agility, resiliency, and security – all at the same time. Gene cites actual statistics, such as twice the change success rate when using DevOps, and 12x faster restorations after breaks (all from a Puppet Labs survey, so beware possible bias). DevOps isn’t the answer for everything, and it comes with its own risks, but once you start learning the patterns it makes a ton of sense. The ability to do things like build an entire application stack automatically and as needed, using templates with embedded security configurations, sure seem like a nifty way to build and fix things. – RM
Understanding the different levels of malware analysis: With more advanced malware out there, many organizations have started dipping their toes into malware analysis to figure out what attacks do. Lenny Zeltser has a good overview of 4 different types of analysis in this post: discussing fully automated analysis, static analysis, interactive (dynamic) analysis, and finally full code reversing. Many of the cloud services out there doing malware analysis do at least the first three, and manage a decent job at this point. Of course you can’t (yet) completely displace a human analyst, so there will be room for carbon-based analysis for a quite a while, to understand the nuances and patterns across attacks. But it is very difficult to find folks who can do reverse code, so automated services may be the only option for many companies. For more detail on what’s involved in malware analysis, check out our Malware Analysis Quant research. – MR