Last week I mentioned how excited I was for the NFL season to be starting. I took the Boy to the Falcons’ home opener and it was awesome. It was a great game, and coming away with a victory in overtime was icing on the cake. As predicted, my voice was a bit rough on Monday from screaming all day Sunday, but it was worth it. I don’t think my son will ever forget that game, and neither will I.

Of course, I was expecting Monday to be all about the big victories. Who would have expected Buffalo to beat the Bears at home? Not me – I picked Chicago in my knockout pool, and was promptly knocked out. I’m like Glass Joe I get knocked out so early and often. At least that game happened during the Falcons game, so I wasn’t bothered to be setting $20 on fire. Again. And the Dolphins beating the Pats? Another surprise.

But the Monday news cycle was hijacked and dominated by the Ray Rice video. I will not link to it because it’s disgusting. The Ravens cut ties with the guy and now he’s suspended by the NFL. All of which is deserved. Can he rehabilitate himself? Maybe. Can he and his (now) wife work it out? Maybe. Was this an isolated incident, totally shocking and surprising to the people who claim to know him? No one knows that.

All we know is that at that moment in time, Ray Rice was a wife-beater. And he’ll suffer the consequences of that action for the rest of his days. But let’s take a more constructive view of the situation. How did he get so angry as to strike the person he claims to love the most? What could he have done differently to avoid finding himself in that situation or role? I don’t have any experience with domestic violence. I don’t let the Boy hit his sisters, no matter what they do. But I do know a thing or two about anger. Anger (and my inability to manage it) was my catalyst to start moving down the mindfulness path, as I described in my RSA talk with JJ (link below).

I am not going to preach the benefits of a daily hour of meditation. I won’t push anything except a little tactic I have learned, to both help me be aware of my increasing frustration, and to stop the process before it turns to anger and then rage. When I feel my fight or flight instincts kicking in, I smile and then take a deep breath. That brings my awareness out of the current stressful situation and lets me take a step back before I do something stupid. It allows me to sit with my frustration and not allow it to become anger. If it sounds easy, that’s because it is. It takes discipline to not take the bait, but it’s easy to do.

Of course this is not the right approach if you are being chased by a lion or an angry mob. At that point your fight or flight instincts are right on the money. But as long as your life is in no danger, a smile and then a deep breath work. At least they do for me.

You will get strange looks when you break into a smile during a tense situation. Folks may think you are crazy, and may get more fired up that you aren’t taking them seriously. I don’t worry about what other people think – I figure they prefer a smile to a felonious assault. We all need tactics to handle the stress in our lives. Figure out what works for you, and make it a point to practice. The unfortunate truth is that if you do security you will have plenty of opportunities for practice.


Photo credit: “[077/365] Remember to Smile” originally uploaded by Leland Francisco

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

The Security Pro’s Guide to Cloud File Storage and Collaboration

Trends in Data Centric Security

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. Pay Apple: With Apple’s announcement today of Apple Pay, they have now released some details of how their payment architecture will work. Yes, it’s a wallet. Yes, it will use NFC to communicate cryptographically secured data to and from PoS systems. But there were a couple surprises. First, Apple will not store credit card numbers on devices, avoiding the possibility of a device being forced to cough up account information. Second, they will essentially create a token to represent the card, and very quickly become the largest issuer of payment tokens on the planet. Lastly, Apple says they will not collect merchant and other payment details related to the transaction, which we were very wrong about. There are many details to understand, but the basic architecture is sound. Use of the “secure element” on the device for payment data security is more than adequate, and if Apple is indeed shielding users’ personal information and credit cards from merchants, this is a big leap forward in both privacy and security. – AL
  2. We don’t need no stinkin’ files: As if you needed more proof that file-based tactics are insufficient to catch malware, check out this research showing attackers are now compromising devices via memory-based attacks, no longer requiring files. If there are no files, how can you match a file hash to a known bad hash on file? Right: AV DOA. Finally. Of course these attacks offer no persistence, so when the device is rebooted the infection is gone. But in many cases – especially if the device is being used as a pivot point in a broader attack – persistence isn’t necessary. This isn’t completely new – these attacks have been around for a while, but we didn’t see them in standard attack kits. – MR
  3. Cloners: Relational database updates have always been tricky – a missing permission or poorly authored update script can not only halt the entire process halfway through, but corrupt the database itself. Chris Riley over on the DevOps blogs offers good advice on keeping databases healthy. But a single big hairy database server is now quaint – DevOps, coupled with virtual and cloud services, makes taking snapshots of hot-standby databases cost-effective and trivially easy. Patched and unpatched copies can be ready, and quickly pushed in or pulled out in case a patch causes side effects. It requires re-architecting database deployments already in production, and you still may need to recover some transactions, but uptime and survivability are vastly better. Database upgrades are still nasty, scary, and difficult; but clones reduce side-effects and downtime. – AL
  4. The Game Over myth: The game is never over. If you have been in security more than a year you know that. You can cut off one head of the hydra, but two more grow back. The resurgence of ransomware even after the Gameover botnet was taken down in the spring just reinforces that. So what to do? Get your Zen on, accept that there will always be bad actors, and they will always be trying to steal. Whether it is a physical stick-up or a computer theft, it’s all the same. If you can be objective enough to appreciate the resilience of the botmasters you have all the evidence you need that this problem is not going away. Although you can protect yourself and your family by not clicking on links in emails and taking simple security precautions. And being thankful that you know how to clean up when friends and family get nailed. – MR
  5. Closed container: When you encrypt email you can no longer see the message contents, which is great for privacy. On the other hand it’s also a great advance for spammers, who want to slip their poop through filters. Most filters don’t work if they cannot read the message, and IP reputation systems can be bypassed. Mike Hearn discusses the challenges of anti-spam when using end-to-end encryption, and how tactics from the last 15 years are doomed to fail in this environment. He shares a couple ideas about how to deal with encrypted spam, including a vetting process of countersigning from trusted parties, and another from the bitcoin realm: establishing a marginal cost to establish a digital identity, burdening spammers with overhead, and still requiring trust be earned. – AL
  6. Master of the Obvious: enterprises are still phish food: You can tip your hat to McAfee, who wins this week’s Master of the Obvious award for reminding us that phishing still works. Duh. Of course there are many different phishers, and some quite sophisticated and nefarious using targeted attacks. Others just run kits they bought online. Again, what can you do to protect your organization? Rewriting links in incoming email is a good start. Then you can proxy (and analyze) the site before the user ever gets there. It’s not foolproof but it certainly stops obvious malware from making it onto users’ devices. You should also be running simulations on your employees, because showing them seems to work a lot better than other educational. – MR