Yesterday I was in Winnipeg. By choice! I was invited to speak at the Western Canada Information Security Conference, and there isn’t much I like better than giving talks in Canada. Folks are nice. They appreciate when you come up to their towns to talk. They don’t say much during the pitch, but they come up after the session or in the coffee line and make it clear that they were listening. Just like in the Northeast. OK, not so much.

I was doubly excited to do yesterday’s talk because they asked me to do my Happyness talk. It is my favorite talk to do – not because I think it provides a good message for the audience… even though it does. Not because it gives people tools to deal with the despondency that is part of the security profession… although it does that too.

I love giving the Happyness talk because it forces me to take a look at where I’ve been and what I’ve done to improve myself over the past 7 years. When I first put the pitch together, I had a picture of Grumpy with the caption: “My alter ego.” When I updated the pitch last year, I changed that caption to be: “I used to be this guy.” That’s right, I’m no longer grumpy. Really. If you perceive me being grumpy, you bought into my persona. That’s not me anymore. If you met me today and didn’t know me, you wouldn’t think I’m grumpy or even curmudgeonly.

I didn’t really appreciate that fact until I was going through the deck this week to do some minor tuning. I realized I have spent a long time trying to improve my mental game. To deal with my impatience and anger. To do this I embraced mindfulness practices (see the Neuro-hacking talks I do with JJ) and it has made a huge difference in my mental health. I need to celebrate that accomplishment. So I think I will.

Of course that doesn’t mean I don’t get frustrated or impatient anymore. I’m human, contrary to popular belief. But I don’t hold onto the frustration, and the impatience passes quickly. Which, given where I started, is pretty cool.

While I’m celebrating I should probably acknowledge how I have transformed my physical self as well. Back in 2006 I was 70 pounds heavier with high blood pressure and all sorts of other issues starting to manifest. So I decided I was tired of being fat and out of shape and dedicated myself to change. It has been a long process and it is still a daily battle, but at this point I am in the best shape of my life – in my mid-40s. Go figure. That warrants a celebration, no? I was on the express train to the grave and now I have a chance to live long enough for my kids to have to change my diapers. I don’t know how long I’ll be here, but when I go it won’t be because I didn’t take care of myself.

So today I will celebrate my accomplishments, both mind and body. I don’t really ever pat myself on the back, so this is both new and uncomfortable. But I’ll do it because I should. Because hard work should be acknowledged – even if it is only acknowledging yourself.

[5 minutes pass]

OK, I’m done celebrating. There is work to do. Windmills to chase. Things to accomplish. But this is progress for me. I usually don’t celebrate accomplishments for even 5 minutes. It actually feels pretty good. Come to think of it, I highly recommend it. There may be something to this celebration thing…


Photo credit: “Destination: Goal” originally uploaded by Jay Cox

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. Dropping your stuff: The Intralinks folks just published some interesting research, highlighted on Graham Cluley’s blog, showing how Dropbox and Box leak links to private files through Google searches. They prove their point by showing a 2012 tax return and a mortgage application. That’s awesome. It turns out anyone with a link for private sharing can see the file. No authentication needed. More awesome. The issue can also manifest if someone clicks a link embedded within a document viewed using Dropbox’s web preview function, because that link is included in the referrer information. So how do you solve the problem? Don’t share links. Duh. Oh, not an issue? Use business cloud storage services, which allow you to restrict access to shared links. We are only beginning to scratch the surface of these issues with cloud storage, so share judiciously and encrypt files on those services. At least any files you care about. – MR
  2. Very open auth: The major proponents of OpenId and OAuth 2.0 responded to the latest hijacking threat with “The problem is being tracked”, and “Covert Redirect is a security flaw, not a vulnerability.” Which is basically doublespeak for “Not my problem” – or, as Jeremiah Grossman called it on Twitter, a “WONTFIX” issue. It is true that the flaw is not with OpenID nor OAuth per se, as they were not designed to counter this type of attack, but client credentials are nonetheless are subject to compromise. The unspoken issue here is that dozens of dodgy browser features are critical functionality (including redirection) leveraged by marketing groups, ad networks, and third-party services. A typical user will click any link presented, so people will continue to get phished and hacked, and malicious third parties will get valid user credentials. ‘Fix’ the security problem and the third party services break – which is not going to happen because the browsers are controlled by large advertising firms. So web application providers must fill the gaps, typically through additional validation such as risk-based and 2-factor authentication, lessening the value and trustworthiness of OAuth and Open ID. – AL
  3. Follow the money: Brian Krebs has another great article over at The Guardian on how credit card companies are still myopically focused on point-of-sale system security and weak on cyber – despite the Target breach. The problem with his analysis is that it misses a couple important points. First, that financial liability to consumers is effectively $0 (okay, it is a seriou inconvenience to replace a card, but you aren’t responsible for any resulting fraud). The fact is that it’s hard to get consumers up in arms when they aren’t losing money. What about the credit card brands? Shouldn’t they care about this? Well, their fraud rates are near historic lows (~5%). So even with all the costs of replacing cards (which banks are on the hook for) the overall systemic losses are still low enough that the costs pushed onto consumers still aren’t all that noticeable. Perverse economics, but that’s life. – RM
  4. Share and share alike: The folks at AlienVault are pushing the industry to share intelligence on a wider basis, via an open letter. Their point is good – the key to threat intelligence is benefiting from the misfortune of others, and you can only do that by having folks share data with you. As was described to me by a defense sector CISO, who was more than willing to share what he had – his organization had already addressed the issue and implemented remediations/workarounds. So there was no competitive advantage to keeping the details of the attack private. But not everyone has the same enlightened perspective, and that’s AlienVault’s point. They want to remove the price tag and private market value of the data. I’m not sold on that, mostly because without a profit motive, innovation tends to stall. But the more we share information, as far and wide as possible, the more we all benefit. I’m pretty sure that’s what the network effect is all about. – MR
  5. Meatware: We focus almost exclusively on IT security here at Securosis, but sometimes we can learn from looking at physical crime. Take the spate of prescription drug theft reported by The Verge. It took about 5 years to slow down bad guys nailing warehouses, with old school Mission Impossible schemes like cutting through ceilings, rappelling in, and loading up semi trucks with pallets of stolen drugs. Think about it – high-value assets, a potential underground market, ways to reinsert product into legal markets, and all centralized in big non-data centers. It took a combination of new security controls, law enforcement, and systemic changes (including pallet labeling/tracking), but they managed to get a handle on the problem. Sounds very familiar, and who doesn’t love a good roof-rappelling story. There’s your plot for MI:18. – RM
  6. AllSQL: When I released our security analytics paper earlier this year I mentioned two important trends. The first was large enterprises and third-party service providers running not one, but two NoSQL databases in parallel, each tuned to address a specific security effort. The other was the desire to leverage multiple existing databases, along with new Hadoop clusters for data analysis. Recently both IBM and Splunk have announced solutions that do just this; IBM’s BigInsights provide connectors that allow queries to be run across Hadoop and other IBM databases simultaneously, while Splunk is offering a new version of Hunk that allows queries to run across Hadoop, Accumulo, Cassandra, MongoDB, and Neo4. Tailored databases is a huge advancement, but cross-platform query capabilities means you are business is not siloed into any one platform – instead developers can choose to leverage any and all platforms. From a security standpoint this puts increased pressure on identity, role management, and file access capabilities to ensure data privacy; but the real news is the huge advancement in capabilities for organizations who want to perform security analysis on any and all data. – AL
  7. Mr. Market weighs in on Trustwave’s IPO: After over three years, the verdict is in on Trustwave’s IPO. And the jury says: thumbs down. Trustwave has pulled their plans to go public, clearly due to tepid market response. There were clearly pretty good market conditions over the past year (FEYE, PANW, etc.) to get deals done for strong security companies. But the market cycles; with the general deflation of high-multiple, stocks companies wanting to go public need rock-solid financials. Which is the way it should work. There are a bunch of bubblicious tech market sectors and security (or ‘cyber’ as investors call it) was one of them for quite a while. Now that’s cooled a bit, maybe the market will get back to evaluating companies on fundamentals, not whatever they were valuing them on for the past few years. – MR