Flying into Milan to teach the CCSK class on Sunday morning, it really struck me how much we take this technology stuff for granted. The flight was uneventful (though that coach seat on a 9+ hour flight is the suxxor), except for the fact that the in-seat entertainment system didn’t work in our section. Wait. What? You mean you can’t see the movies and TV shows you want, or play the trivia game to pass the time? How barbaric! Glad I brought my iPad, so I enjoyed half the first season of Game of Thrones.

Then when I arrive I jump in the cab. The class is being held in a suburb of Milan, a bit off the beaten path. I’m staying in a local hotel, but it’s not an issue because I have the address and the cabbie has GPS. What did we do before GPS was pervasive? Yeah, I remember. We used maps. How barbaric.

Then I get to the hotel and ask for the WiFi code. The front desk guy then proceeds to explain that you can buy 1, 4 or 12 hour blocks for an obscene number of Euros. Wait. What? You don’t have a daily rate? So I’ve got to connect and disconnect? And I have to manage connections between all of my devices. Man, feels like 5 years ago when you had to pay for WiFi in hotels in the US. No longer, though, because I carry around my MiFi and it provides great bandwidth for all my devices. They do offer MiFi devices in Italy, but not for rent. Yeah, totally barbaric – making me constrain my Internet usage.

And don’t even get me started on cellular roaming charges. Which is why hourly WiFi is such a problem. I forwarded my cell phone to a Skype number, and the plan was to have Skype running in the background so I could take calls. Ah, the best laid plans…

But one thing about Italy is far from barbaric, and that’s gelato. So what if they don’t take AmEx at most of the places I’ll go this week. They do have gelato, so I’ll deal with the inconveniences, and get back in the gym when I return to the States. Gelato FTW.


Photo credits: “Conan the Barbarian #1” originally uploaded by Philipp Lenssen

Heavy Research

We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.

Vulnerability Management Evolution

Defending iOS Data

Watching the Watchers (Privileged User Management)

Understanding and Selecting DSP

Malware Analysis Quant

Incite 4 U

  1. PCI CYA: We’ve said it here so many times that I can’t even figure out what to link to. The PCI Council claims that no PCI compliant organization has ever been breached. And as Alan Shimel points out, the Global Payments breach is no exception. The house wins once again. Or does it? Brian Krebs also reports that timelines don’t match up, or perhaps there is also another breach involved with a different payment processor? I’m sure if that’s true they’ll be dropped from PCI like a hot turd. Never forget that PCI is about protecting the card brands first, and anyone else 27th. – RM
  2. White noise: You’ve probably heard about the Global Payments breach. That means that as I write this the marketing department of every security vendor is crafting a story about how their products would have stopped the breach. And that’s all BS. Visa and Brian Krebs are reporting the attackers accessed Track 2 data – that tells us a lot. It’s clearly stated in the PCI-DSS specification that the mag stripe data is not to be stored anywhere by payment processors or merchant banks. It’s unlikely that attackers compromised the point-of-sale devices or the network feeds into Global Payments to collect 1.5M records from the merchant account of Joe’s Parking Garage in a month. As Global Payments is saying the data was ‘exported’, it’s more likely that their back office systems were breached, exposing unencrypted track data. Any security vendor’s ability to detect and stop the ‘export’ is irrelevant; it’s more secure to not collect the data at all. And even if the records were ‘temporary’, they should have been encrypted to avoid just this exposure to people poking around systems and databases at any time. So just sit back and learn (once again) from the screw-ups that continue to occur. I’m sure we’ll hear a lot more about this in the coming weeks. – AL
  3. I’ll take “nothing” for $200, Alex: Everybody batten down the hatches, it may be Spring (in the Northern Hemisphere, anyway), but when Shack becomes optimistic you can be sure that winter is coming. Though I do like to see a happier Shack talking about what is right with Infosec. Things like acceptance of breach inevitability and less acceptance of bureaucracy (though that cycles up and down). There are some good points here, but the most optimistic thing Dave says is that we have smart new blood coming into the field. And that the responsibility is ours, as the grizzled cynical old veterans, not to tarnish the new guys before their time. – MR
  4. Security is the broker: Managing enterprise adoption of cloud computing is a tough problem. There is little to prevent dev and ops from running out and spinning up their own systems on various cloud services; assuming you are silly enough to give them credit cards. Gartner thinks that enterprises will use cloud service brokerages (which will be internal) to facilitate cloud use. I agree, although if you are smart, security will play this key role (or a big part of it). Security can broker identity and access management, secure cloud APIs, handle encryption, and define compliance policies (the biggest obstacle to cloud adoption ). We have the tools, mandate, and responsibility. But if you don’t get ahead of things you will be irrelevant, and someone else will take that role. You snooze, you lose. – RM
  5. Shakedown millionaire: You can’t believe everything you read on the Internet, but this Extortion Attempt website is instructive for everyone, as all industries more heavily consider outsourcing. It’s a story you’ve heard before. Engage a foreign developer who then holds your company hostage with access to not only ‘your’ source code, but ‘your’ credit card information. Clearly the folks owning this company are idiots. It’s bad enough to not protect yourself from a rogue developer, but to give him credit card access?! Just ridiculous. Clearly Darwin is at work here. But part of you has to feel bad when there seems to be no recourse. But you can’t outsource thinking, and if you don’t have Plan B when working with folks you don’t know, half a world away, who live in a different jurisdiction, well… – MR
  6. Caught up in the conspiracy: Imagine yourself as a customer of a cloud service provider. Now imagine that one of the other cloud ‘tenants’ does something illegal, like serving child porn or streaming NFL television signals. Now imagine that law enforcement ‘confiscates’ the offending server, which has been known to happen. But wait, when the ‘servers’ are all virtual images on the same physical server, they all go down. It’s the same when the police confiscate hard drives for forensic evidence, like when Megaupload was shut down and took other uninvolved legitimate users out as well. Can you imagine trying to retrieve your content from this mess through legal channels? When old law enforcement methods meet new technologies, the results are messy. This is one of several cases we have heard about in the last two years, and the courts are a long way from figuring out how to deal with these issues. Multi-tenant environments pose some new reliability and legal wrinkles, so update your disaster recovery and business continuity plans accordingly. Data replication FTW. – AL
  7. Throw another Log(Logic) on the fire: At long last, LogLogic has been acquired. Those folks have been on the block for years, and it was Tibco that took the plunge. Huh? Who? Tibco? Yeah, that was my reaction as well. And it’s clearly a very strategic deal for Tibco when the announcement doesn’t even show up on the LogLogic home page, the press release is 3 paragraphs with a buzzword density I haven’t seen in years, and there are no quotes from either of the happy executives. Yes, folks, those are clear indications of a fire sale. Is log management important? Absolutely. But as part of a security and/or IT Ops management stack, relevant to many different use cases. LogLogic pioneered the market, but they got Splunked, and now they will become a feature of a middleware stack. – MR