It seems like a lifetime ago. June of 1999. Actually it was more than XX1’s lifetime ago. The Boss and I still lived in Northern Virginia. I was close to the top of the world. I started a software company, we raised a bunch of VC money, and the Internet Revolution was booming. The lease on my crappy 1996 Pathfinder was up, and I wanted some spiffy new wheels.

Given my unadulterated arrogance at that time in my life, I’m surprised I didn’t go buy a 911, since that’s always been my dream car. But in a fit of logic, I figured there was plenty of time for fancy cars and planes once we took the company public. But I did want something a bit sportier than a truck, so I bought a 1999 Acura TL. It had 225 horses, lots of leather, and cool rims. In fact, I still feel pretty good about it almost 13 years later. I’m still driving my trusty TL.

Well, I guess the term driving is relative. I drive about 7,500 miles a year. Maybe. With three kids, we don’t take trips in the TL any more, so basically I use it to go to/from Starbucks and the airport. At almost 100,000 miles, it’s starting to show its age. It’s all dented up from some scrapes with my garage (thanks Grandma!) and countless nights spent in an airport parking lot. But I can’t complain – it’s been a great car.

But the TL is at the end of the road and my spidey sense is tingling. That model is notorious for transmission failures. So far I’ve been lucky, but I fear my luck is about to run out. The car just doesn’t feel right, which means it’s probably time for a pre-emptive strike to refresh my wheels.

What to buy? I’m not a car guy, but my super-ego (the proverbial devil on my shoulder) looks longingly at a 911 Carrera Convertible. That’s sweet. Or maybe a BMW or Lexus gunship. A man of my stature, at least in my own mind, deserves some hot wheels like that. Then my practical side kicks in (the angel on my other shoulder) and notes that I frequently need to put the 3 kids in the car, and the kids aren’t getting smaller. No SmartCar for me. I also want something that gets decent gas mileage, since it’s clear that gas prices aren’t coming down anytime soon. But it’s so boring and lame to be practical, says the Devil on my shoulder. We know how that ended up for Pinto in Animal House, but what will happen with me?

I can’t really pull off the sports car right now, so maybe I should get an ass kicking truck. One of those huge trucks with the Yosemite Sam mud flaps and a gun rack. It will come in handy when I need to cart all that mulch from Home Depot back to my house. Oh right, I don’t cart mulch. My landscaper does that. Again, the practical side kicks in – reminding me that folks needing to make obvious statements about their a badassitude usually have major self-esteem problems.

What happened to me? Years ago, this decision would have been easy. I’d get the sports car or the truck and not think twice. Until I got my gas bill or had to tie one of the kids to the roof to get anywhere. But that’s not the way I’m going. I’m (in all likelihood) going to get a Prius V. Really. A hybrid station wagon, and I’ll probably get the wood paneling stickers, just to make the full transformation into Clark Griswold. Though if I tied Grandma to the roof, I wouldn’t be too popular in my house.

Even better, the Prius will make a great starter car when XX1 starts to drive 4-5 years from now. That will work out great, as by then it’ll be time for my mid-life crisis and the 911 convertible…

-Mike

Photo credits: “porsche 911 hot wheels” originally uploaded by Guillermo Vasquez

Heavy Research

We’re back at work on a variety of blog series. Here is the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.

Defending iOS Data

• Introduction
• iOS Security and Data Protection
• Data Flow on iOS
• Protecting Data on Unmanaged Devices
• Secure File Apps for Unmanaged Devices

Watching the Watchers (Privileged User Management)

• Access to the Keys (to the Kingdom)

Understanding and Selecting DSP

• Data and Event Collection

Incite 4 U

1. Assuming the worst is not new: It’s pretty funny that our pals at Dark Reading are now talking about Security’s New Reality: Assuming the Worst – meaning you need to assume compromise and act accordingly. Duh. Gosh, I’ve been talking about Reacting Faster since early 2007 (I actually checked and the term first appeared on Security Incite in December of 2006. Praise the Google.), and it’s not like I have been the only one, but it is pretty cool to see everyone else jumping on the you’re screwed bandwagon. I was talking to a freelance writer Monday, and she asked what kind of skills I thought people getting into security need to work on, and I said forensics. Obviously there are a lot of fundamentals that need to be in place to understand how to figure out something is wrong, but it’s clear that capable incident responders will be in high demand for a long time. And even incapable incident responders will be busy, as companies in the middle of coping with breaches can’t afford to be too picky. – MR
2. Password Manager Kinda-fail: Elcomsoft conducted a security review of 17 different personal password managers, examining their encryption and key management. The full report (PDF) contains most of the interesting information. The problem is that the report is not very well written. The attacks they discuss all depend on having physical access to the device, or being able to gain access to the device backups – a power-station hack on a locked device won’t work. There is an implication that not using the keychain on iOS degrades security, but I don’t believe it. Further, the title of the paper: ‘“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?’ is a bit of a tease – I know several vendors have made that claim, but the statement paints all vendors with the same brush, and that’s clearly not supported by the actual analysis. I do agree with that most users use shorter passwords on their mobile devices as compared than on their desktops, and we already know 10-14 character passwords just are not that strong to begin with. Any important passphrase needs to be over 15 characters. Period. That said, I did find useful information in the report, and I am glad that consumers who care about security will be armed with more information so they can detect vendor BS – especially from vendors who don’t actually encrypt all their data. – AL
3. You mean you want to read AND edit? A little later Mike is going to cover Big Yellow’s acquisition of some mobile assets (other vendors- buy early, buy cheap), but there’s part of the problem that isn’t well addressed yet. As I’m covering in my iOS data security series it turns out that if you want to edit documents, as opposed to just view them, inside a secure sandbox you actually need to build in a complete Office editor. Heck, even if Microsoft releases Office for iPad (and they will) you won’t be able to use it in a secure sandbox unless they OEM it. Which is why it’s very interesting that QuickOffice is adding enterprise features for data protection. Did I say buy early, buy cheap? Maybe even not so cheap at this point. -RM
4. Why wait tables, when you can social engineer? Interesting post on The Ethical Hacker Network on using acting skills as a social engineer. Yup, manipulation and pretending you are someone else are keys to social engineering success. Act like you belong and don’t get flustered under questioning. Obviously easier said than done, but who better to perform these tricks than out-of-work actors? If you need to hire a bunch of social engineers just head down to LA. Sure, they’d be raw, but it’s no more of a stretch than those actors doing product presentations on any show floor. I can see it now: The Hacker Casting Couch on PlayboyTV. – MR
5. Privacy Matters – about 4 bits worth: Threatpost covered the results of a recent joint research project by the German Institute of Economic Research and Cambridge University to monetize the value of privacy. They effectively developed an economic model for pricing personal information. The project was designed to place a value – yes, a hard Deutschmark amount – on privacy. The good news is that privacy matters! Yeah! The bad news: it’s worth about $0.65 to consumers. Give or take a couple cents. But we knew this already, with studies showing people will fork over their work passwords for a free USB memory stick, or give up their personal information in exchange for a candy bar. I know women who would give you a credit card number for 50% off Manolo Blahniks, but maybe that’s not a fair comparison. In reality, the issue of ‘context and scope’ matters more than I think the report accounts for – people only get angry about privacy violations when their privacy is abused. Worse, they know that maintaining privacy is not always an option – sometimes you provide information or don’t get the credit card, the loan, the cell phone, or some service you need. But overall the study is well worth a look. I still have to ask: should we consider $0.65 a lot of money when freedom only costs $1.05? – AL
6. Cloudy. Cloudi. Cloudici. I remember on one of the very first panels I did on cloud computing how shocking it was to the other panelists that I would make the distinction between security delivered from the cloud, and security for the cloud. Chris Hoff (yes, I link to him too much, write like he does and and I’ll link to you) does a much better job breaking out the different meanings of “cloud security”. On top of my two options (in the cloud and for the cloud) he adds by the cloud, which covers security built in with your cloud provider. He then focuses on that last category and hints and the awesome implications when security is built into the cloud. It’s like, a self defending network or something! But seriously… read the post and look for the innovation. We are surrounded by it, and despite what you may think a lot of it is happening in traditional vendors, even though they know the market is relatively small… for now. -RM
7. Mobilizing the Big Yellow: We have recently done two sessions with groups of CISO types, and priority #1 (or a close priority #2) is dealing with this mobile security thing. Clearly, smartphones and other consumer-grade devices are appearing on corporate networks in volume, and although most organizations of scale contain the potential damage by restricting access to iOS and using a container approach for corporate data (and ensuring it can easily be wiped), they can’t hide forever. And Symantec (for once) is buying ahead of the market by taking out Odyssey, a mobile device management (MDM) product, and also Nukona, a corporate app store capability. To be clear, dealing with these mobile devices is less a security issue than a management problem for now and the definition of endpoint is changing, so over time it will be a clear security play. This isn’t the last deal we will see in this space. – MR