Research

You will probably read this on Thursday or even Friday, and that’s late. This week got all screwed up. It’s a little matter of a bunch of things happening at the same time, mostly personal, all good. So Monday was a holiday for me and starts the fall renewal process where I don’t set goals and don’t worry about what I’m striving for any more. It also turns out Monday night was the Falcons home opener. Many of my ATL buddies consider me a sinner for going to a football game on the High Holy Days. As I told the Boss, “Football is my other religion,” so there was never a question whether I would go. Normally I work late on Tuesday night, but we took XX2 to see a Ben Folds concert for her birthday. So up late Monday (I’ll get to that) and up late Tuesday. And a check-up for the kids Wednesday morning. Which means not a lot of time to actually, well, work. And I won’t even mention the road trip to go see the Giants play in Carolina on Thursday night. Yeah, I have a pretty sweet deal. Now back to Monday night. Everyone was amped up for the game. The Broncos and their rebuilt QB, Peyton Manning, were in town. The atmosphere was electric. Until about midway through the first quarter, when the replacement refs lost control of the game. I mean totally lost control. I have never seen anything like it. Penalties were reversed or not called. Fights broke out. The ball was spotted wrong. The first quarter took over an hour. Monday Night Football didn’t end until Tuesday morning. NFL referees are like security folks. Until they are gone and all hell breaks loose, you don’t even notice them. The NFL is taking a hard line about pensions, and they locked out the regular referees. I thought I had a sweet deal, but refs have it pretty good too. Some make as much as $120K a year to work maybe 20 games, including playoffs. Even based on the NFL’s latest offer, they’ll still get something like $15K contributed to retirement. But it’s not enough. Everyone always wants more. So the NFL finds replacement refs, most of whom do a good enough job. Some don’t (like the team on the field in ATL on Monday night). But at the end of the day, Steve Young was right. The NFL is in an inelastic demand situation, and how cool is it that a Hall of Fame QB talks about Econ 101 on national TV? The NFL will take a hard line because the fans will continue to show up. And we will. I’ll bitch and moan to my pals. The football talking heads (which is actually a much bigger echo chamber than security) will bitch and moan. The fans will keep showing up. As evidenced by my upcoming road trip to Charlotte. So the scabs will continue to be entrusted with keeping games on track and in control. Hopefully no one gets hurt and the games end fairly. Truth be told, scabs is a derogatory and unfair term for the replacement refs. It’s not their fault they are in deep water. It’s like taking a recent security graduate and asking them to defend something important from [name your favorite pen tester]. It’s going to end poorly. Ultimately the real refs will cave. It’s all about the leverage. It’s always about the leverage. The real refs have none. The NFL continues to have record ratings and record attendance and record activity in the NFL ecosystem, even with replacement refs. And once the refs realize they are very small cogs in a multi-billion-dollar wheel, they will pull off the scabs and get back to work. –Mike Photo credits: Scabs originally uploaded by Thomas Hawk Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Denial of Service (DoS) Attacks Introduction Securing Big Data Security Issues with Hadoop Incite 4 U What makes an expert? Rob G levels a very uncharacteristic personal attack in his The know-nothings of cybersecurity, with the argument that someone who hasn’t actually configured a firewall or injected SQL cannot really be an expert. I reject that – it depends on what aspect of cybersecurity you’re talking about. A cybersecurity policy wonk probably hasn’t pwned devices using cool XSS code, but that doesn’t mean they don’t understand policies. And even if you are talking about technical expertise, it depends on who you’re talking to. Anyone can be an expert, if they are talking to n00bs. I’m no fan of generic statements that can’t be proven, nor am I a fan of the tons of charlatans claiming to be something they aren’t. But I don’t buy that there is only one kind of cybersecurity expert. – MR Mobile payments are HOT HOT HOT: Hat tip to Martin McKeay for bringing this up as we were recording this week’s Network Security Podcast. It looks like the PCI Council is going to release guidance on mobile payment applications. This is a big deal – a lot of apps tie into credit cards in some way, shape, or form. On one side are tools like Square payment card readers, but I suspect we might see other forms of apps tying to credit cards coming under scrutiny. It’s not something I would put money on – just something to watch. Think of all the QR-code based apps that use credit card somewhere on the back end. Then again, the PCI will do whatever they expect to piss off the smallest number of vendorsmembers, and Visa will end up making a blanket decision, anyway. – RM Estimates are like … never mind: There is a reason

Hang with me as I channel my inner Kerouac (minus the drugs, plus the page breaks) and go all stream of consciousness. To call this post an “incomplete thought” would be more than a little generous. I believe we are now deep in the early edge of a major inflection point in security. Not one based merely on evolving threats or new compliance regimes, but a fundamental transformation of the practice of security that will make it nearly unrecognizable when we finally emerge on the other side. For the past 5 years Hoff and I have discussed disruptive innovation in our annual RSA presentation. What we are seeing now is a disruptive conflagration, where multiple disruptive innovations are colliding and overlapping. It affects more than security, but that’s the only area about which I’m remotely qualified to pontificate. Perhaps that’s a bit of an exaggeration. All the core elements of what we will become are here today, and there are certain fundamentals that never change, but someone walking into the SOC or CISO role of tomorrow will find more different than the same unless they deliberately blind themselves. Unlike most of what I read out there, I don’t see these changes as merely things we in security are forced to react to. Our internal changes in practice and technology are every bit as significant contributing factors. One of the highlights of my career was once hanging out and having beers with Bruce Sterling. He said that his role as a futurist was to imagine the world 7 years out – effectively beyond the event horizon of predictability. What I am about to describe will occur over the next 5-10 years, with the most significant changes likely occurring in those last 7-10 years, but based on the roots we establish today. So this should be taken as much as science fiction as prediction. The last half of 2012 is the first 6 months of this transition. The end result, in 2022, will be far more change over 10 years than the evolution of the practice of security from 2002 through today. The first major set of disruptions includes the binary supernova of tech – cloud computing and mobility. This combination, in my mind, is more fundamentally disruptive than the initial emergence of the Internet. Think about it – for the most part the Internet was (at a technical level) merely an extension of our existing infrastructure. To this day we have tons of web applications that, through a variety of tiers, connect back to 30+-year-old mainframe applications. Consumption is still mostly tied to people sitting at computers at desks – especially conceptually. Cloud blows up the idea of merely extending existing architectures with a web portal, while mobility advances fundamentally redefine consumption of technology. Can you merely slop your plate of COBOL onto a plate of cloud? Certainly, right as you watch your competitors and customers speed past at relativistic speeds. Our tradition in security is to focus on the risks of these advances, but the more prescient among us are looking at the massive opportunities. Not that we can ignore the risks, but we won’t merely be defending these advances – our security will be defined and delivered by them. When I talk about security automation and abstraction I am not merely paying lip service to buzzwords – I honestly expect them to support new capabilities we can barely imagine today. When we leverage these tools – and we will – we move past our current static security model that relies (mostly) on following wires and plugs, and into a realm of programmatic security. Or, if you prefer, Software Defined Security. Programmers, not network engineers, become the dominant voices in our profession. Concurrently, four native security trends are poised to upend existing practice models. Today we focus tremendous effort on an infinitely escalating series of vulnerabilities and exploits. We have started to mitigate this somewhat with anti-exploitation, especially at the operating system level (thanks to Microsoft). The future of anti-exploitation is hyper segregation. iOS is an excellent example of the security benefits of heavily sandboxing the operating ecosystem. Emerging tools like Bromium and Invincea are applying even more advanced virtualization techniques to the same problem. Bromium goes so far as to effectively virtualize and isolate at a per task level. Calling this mere ‘segregation’ is trite at best. Cloud enables similar techniques at the network and application levels. When the network and infrastructure are defined in software, there is essentially zero capital cost for network and application component segregation. Even this blog, today, runs on a specially configured hyper-segregated server that’s managed at a per-process level. Hyper segregated environments – down, in some cases, to the individual process level – are rapidly becoming a practical reality, even in complex business environments with low tolerance for restriction. Although incident response has always technically been core to any security model, for the most part it was shoved to the back room – stuck at the kids’ table next to DRM, application security, and network segregation. No one wanted to make the case that no matter what we spent, our defenses could never eliminate risk. Like politicians, we were too frightened to tell our executives (our constituency) the truth. Especially those who were burned by ideological execs. Thanks to our friends in China and Eastern Europe (mostly), incident response is on the earliest edge of getting its due. Not the simple expedient of having an incident response plan, or even tools, but conceptually re-prioritizing and re-architecting our entire security programs – to focus as much or more on detection and response as on pure defense. We will finally use all those big screens hanging in the SOC to do more than impress prospects and visitors. My bold prediction? A focus on incident response, on more rapidly detecting and responding to attacker-driven incidents, will exceed our current checklist and vulnerability focused security model, affecting everything from technology decisions to budgeting and staffing. This doesn’t

How do I secure “big data”? A simple and common question. But one without a direct answer – simple or otherwise. We know thousands of firms are working on big data projects, from small startups to large enterprises. New technologies enable any company to collect, manage, and analyze incredibly large data sets. As these systems become more common, the repositories are more likely to be stuffed with sensitive data. Only after companies are reliant on “big data” do they ask “How can I secure it?” This question comes up so much, attended by so much interest interest and confusion, that it’s time for an open discussion on big data security. We want to cover several areas to help people get a better handle on the challenges. Specifically, we want to cover three things: Why It’s Different Architecturally: What’s different about these systems, both in how they process information and how they are deployed? We will list some of the specific architectural differences and discuss how how they impact data and database security. Why It’s Different Operationally: We will go into detail on operational security issues with big data platforms. We will offer perspective on the challenges in securing big data and the deficiencies of the systems used to manage it – particularly their lack of native security features. Recommendations and Open Issues: We will outline strategies for securing these data repositories, with tactical recommendations for securing certain facets of these environments. We will also highlight some gaps where no good solutions exist. Getting back to our initial question – how to secure big data – what is so darn difficult about answering? For starters, “What is big data?” Before we can offer advice on securing anything, we need to agree what we’re talking about. We can’t discus big data security without an idea of what “big data” means. But there is a major problem: the term is so overused that it has become almost meaningless. When we talk to customers, developers, vendors, and members of the media, they all have their have their own idea of what “big data” is – but unfortunately they are all different. It’s a complex subject and even the wiki definition fails to capture the essence. Like art, everyone knows it when they see it, but nobody can agree on a definition. Defining Big Data What we know is that big data systems can store very large amounts of data; can manage that data across many systems; and provide some facility for data queries, data consistency, and systems management. So does “big data” mean any giant data repository? No. We are not talking about giant mainframe environments. We’re not talking about Grid clusters, massively parallel databases, SAN arrays, cloud-in-a-box, or even traditional data warehouses. We have had the capability to create very large data repositories and databases for decades. The challenge is not to manage a boatload of data – many platforms can do that. And it’s not just about analysis of very large data sets. Various data management platforms provide the capability to analyze large amounts of data, but their cost and complexity make them non-viable for most applications. The big data revolution is not about new thresholds of scalability for storage and analysis. Can we define big data as a specific technology? Can we say that big data is any Hadoop HDFS/Lustre/Google GFS/shard storage system? No – again, big data is more than managing a big data set. Is big data any MapReduce cluster? Probably not, because it’s more than how you query large data sets. Heck, even PL/SQL subsystems in Oracle can be set up to work like MapReduce. Is big data an application? Actually, it’s all of these things and more. When we talk to developers, the people actually building big data systems and applications, we get a better idea of what we’re talking about. The design simplicity of these these platforms is what attracts developers. They are readily available, and their (relatively) low cost of deployment makes them accessible to a wider range of users. With all these traits combined, large-scale data analysis becomes cost-effective. Big data is not a specific technology – it’s defined more by a collection of attributes and capabilities. Sound familiar? It’s more than a little like the struggle to define cloud computing, so we’ll steal from the NIST cloud computing definition and start with some essential characteristics. We define big data as any data repository with the following characteristics: Handles large amounts (petabyte or more) of data Distributed, redundant data storage Parallel task processing Provides data processing (MapReduce or equivalent) capabilities Central management and orchestration Inexpensive – relatively Hardware agnostic Accessible – both (relatively) easy to use, and available as a commercial or open source product Extensible – basic capabilities can be augmented and altered In a nutshell: big, cheap, and easy data management. The “big data” revolution is built on these three pillars – the ability to scale data stores at greatly reduced cost is makes it all possible. It’s data analytics available to the masses. It may or may not have traditional ‘database’ capabilities (indexing, transactional consistency, or relational mapping). It may or may not be fault tolerant. It may or may not have failover capabilities (redundant control nodes). It may or may not allow complex data types. It may or may not provide real-time results to queries. But big data offers all those other characteristics, and it turns out that they – even without traditional database features – are enough to get useful work done. So does big data mean the Hadoop framework? Yes. The Hadoop framework (e.g. HDFS, MapReduce, YARN, Common) is the poster child for big data, and it offers all the characteristics we outlined. Most big data systems actually use one or more Hadoop components, and extend some or all of its basic functionality. Amazon’s SimpleDB also satisfies the requirements, although it is architected differently than Hadoop. Google’s proprietary BigTable architecture is very similar to Hadoop, but we exclude

Our very own Gunnar Peterson is co-presenting what looks like an insanely awesome mobile application security class. And with a name like The Mobile App Sec Triathlon you know I am interested. The class is November 5-7 in San Jose, and you can get more information and sign up This class covers what developers, architects, and security people should know when working on Mobile, iOS, and Android. The first day is more high level, with the second two days all developer hands-on. Gunnar also wrote a post on why he trains, with a lot more information. This is really a great opportunity, and I don’t believe there is anyone else as qualified offering this sort of class. Share:

In today’s news we see yet another zero-day Internet Explorer exploit being used in the wild. And once again, soon after becoming public, an exploit was added to Metasploit. Well, sort of. While the in-the-wild attack only works against Windows XP, the Metasploit version works against Windows 7 and Vista. (Note that IE 10 isn’t affected). You can read the article linked above for the details, but this gets to something I have been recommending privately for a while: support 2 browsers, even if one is only for emergencies. First of all, ideally you’ll be on a modern operating system. I’m not one to blame the victim, but allowing XP is a real problem – which I know many of you fight every day. Second, this advice doesn’t help with all browser-based attacks, especially Java. But you can configure it in a way that helps. Choose a secondary browser that is allowed for web browsing. Chrome is most secure right now, but make sure you set its privacy defaults to not bleed info out to Google. Ideally block Java in the browser. Maybe even Flash, depending on how you feel about the Chrome sandbox. If something like this IE flaw hits, notify users to use the secondary browser for outside websites (odds are you need IE for internal web apps programmed by idiots or 19th-century transplants, and so cannot ban it completely). If you can, set a network policy that (temporarily) blocks IE from accessing external sites (again, you can make exemptions for partners). Unfortunately I don’t believe many tools support this. I know this advice isn’t perfect. And there are tools like Invincea and (soon) Bromium that can likely stop this stuff cold in the browser – as well as a few network tools, although history shows signature-based defenses aren’t all that effective here. But if you can pull it off you aren’t stuck waiting for a patch or another workaround. Especially if you go with the “block Java / isolate or block Flash” option. This approach allows you to still only support one browser for your applications, and use a secondary one when needed without users having to violate policy to install it themselves. Share:

For years security folks have grumbled about the role compliance has assumed in driving investment and resource allocation in security. It has all been about mandates and regulatory oversight, which drive a focus on protection, ostensibly to prevent data breaches. We have spent years in the proverbial wilderness focused entirely on the “C” (Confidentiality) and “I” (Integrity) aspects of the CIA triad, mostly neglecting the “A” (Availability). But that hasn’t worked out too well. Regulators pretty much only care whether data leaks out. They don’t care about the availability of systems – data can’t leak if the system is down, right? Without a clear compliance-driven mandate to address availability (due to security exposure), many customers haven’t and won’t do anything. Of course attackers know this. So they have adapted their tactics to fill the vacuum created by compliance spending. They increasingly leverage availability-impacting attacks to both cause downtime (costing site owners money), and use availability issues to mask other kinds of attacks. Yes, these availability-impacting attacks are better known as Denial of Service (DoS) attacks. To be clear, most security professionals are very familiar with DoS attacks. It may be hard to remember back over a decade ago, but in the heyday of the Internet bubble we saw many old-fashioned Distributed DoS (DDoS) attacks targeting high profile web properties (think Yahoo and E*Trade, back in the day), with attackers like Mafiaboy doing the damage more for notoriety than to cause real economic damage. Over the past decade attackers have reoriented toward financially motivated attacks, which has meant increasingly application-centric attacks designed to evade detection and exfiltrate lucrative data. Obviously knocking down a target interferes with efforts to rob it electronically. But DDoS never really went away – it became a supplementary extortion tactic. In this scenario, attackers would communicate with a company and promise to knock down their site unless they received a ransom. It’s a simple shakedown move, and many targets were simply unable to survive a significant outage. They paid up rather than fight. We didn’t hear about many of these attacks – nobody wants to publicize that they are vulnerable to shakedowns. But that is all changing now. It’s like Back to the Future a bit – the rise of hacktivism has brought the Denial of Service back into a prominent position in the nightmares of security folks. Facilitated by the availability of open source tools such as LOIC and the availability of bot networks to launch attacks, a DoS renaissance is underway – which means availability has once again become a major factor in security architecture and control design. We try to do forward-looking research at Securosis. So we have started poking around, talking to practitioners about their plans, but we still see a knowledge gap around the kinds of Denial of Service attacks in use today and the defenses needed to maintain availability. So today we launch a new series: Defending Against Denial of Service Attacks, which will (unsurprisingly) provide guidance on the DoS attacks in use today, defensive tactics, and the basic process required for any chance to defend your organization. Let’s start by understanding the major kinds of DoS attacks. Flooding the Pipes versus Filling the Servers We’ll dig into specific attack tactics in much more depth in the next post, but to understand Denial of Service we need to draw a clear distinction between network-based attacks and application-based attacks. Both have the same objective: to impair availability – but they go about it in fundamentally different ways. Network-based attacks overwhelm the network equipment and/or totally consume network capacity by throwing everything including the kitchen sink at a site. This prevents legitimate traffic from getting to the site. This volumetric type of attack tends to be what most folks consider Denial of Service, because it is the most visible type. If your adversary has a big enough cannon it’s very hard to defend against these attacks, and you will quickly be reminded that bandwidth may be plentiful, but it’s certainly not free. Application-based attacks are different – they target weaknesses in web application components to consume all the resources of a web, application, or database server to effectively disable it. These kinds of attacks can target either vulnerabilities or ‘features’ of an application stack to overwhelm servers and prevent legitimate traffic from accessing web pages or completing transactions. The beginning of a network-based attack is fairly obvious. But application-based DoS attacks are less obvious – you are unlikely to discover the attack is underway until servers inexplicably start falling over – so they require more sophisticated defenses. That said, much of DoS defense is about properly leveraging existing controls, and of course compliance mandates haven’t gone away, so still have those required controls. Since you are already robbing Peter to pay Paul to address audit deficiencies, for DoS protection you need to focus your defenses on the attacks you are most likely to see. Which brings us to our next concept: studying your adversaries. Adversary Analysis A new tactic increasingly leveraged by security practitioners is adversary analysis. It’s not enough to just understand attacks and build defenses based on attacks – there is simply too much attack surface, and too many attack vectors. Your security success depends on your ability to prioritize your efforts, as we hammered home in the Vulnerability Management Evolution paper. This involves making strategic bets about who is most likely to attack you and what tactics they tend to use. This will enable you to build control sets with the right initial focus, based on what’s likely to happen. Of course you will be wrong – attackers evolve tactics over time – but in the universe of things you can do, this approach helps narrow your options into something (mostly) manageable. So let’s coarsely group the kinds of adversaries who use DoS attacks. Protection Racketeers: These criminals use a DoS threat to demand ransom money. Attackers hold a site hostage by threatening to knock it down, and sometimes follow

Rich here. Way **way** back in my earliest Gartner days one of my first speaking engagements was a series of three-city tours where I was paired up with an extremely experienced telecom analyst. I was still in my twenties, and probably wasn’t qualified to wash my privates — never mind advise anyone on their security strategy. This was an awesome training ground for a number of reasons. First of all, the stakes were low — these were smaller audiences, out for a free event. Second was all the practice I got, giving the same talk three days in a row to different groups. And it was great to work with an exceptionally good speaker with oodles of experience. But that’s not what I’m going to talk about. The best part for me, as someone with an unhealthy attraction to wireless devices, was spending time with someone who’d been on the inside of the telecom industry for over 20 years. The tech part I could understand easily enough, but the business side was far more fascinating than I expected. And this was after I had worked in Europe for a few months helping design the first system to sell and activate mobile phones over the Internet. Nick hammered one rule into my head that hasn’t changed in the dozen-odd years since. “Telecom providers are greedy and stupid”. Every single decision they make is dependent on those baseline traits. This is especially relevant as I try and figure out just what combination of iPhone 5 and data plan will best fit my needs. First there are the relevant technology limitations. Such as the fact that LTE is a data-only standard, and carriers around the world haven’t really figured out the voice details. So the phones have to support their *old* voice and data standards (GSM or CDMA) *plus* LTE, and your phone might behave differently depending on your coverage. The best example is that Verizon only supports voice and data at the same time if you are on LTE, but not on 3G. Then there are all the roaming agreements and spectrum issues for us world traveler types. Like when I was in Russia and it was $5 per minute for voice calls *on the discounted plan*. For comparison a satellite phone is around $1 per minute, but you need a clear view of the sky. Then there are the plan and transition issues. All the carriers hooked us with unlimited data, then said “f*** off — you are over-using what you paid for”. So we have things like shared data plans, which look better but probably cost more for most people. And then there is the very special case of AT&T, who will change their iPhone 5 signal indicator to a big fat middle finger. (Or the other 2-finger gesture, if you are roaming from the UK). Want FaceTime over cellular? Just switch to our more expensive plan and consider yourself lucky we **let** you install Angry Birds! You want 4G? Fine, we’ll change the display to say 4G to shut you up. Not that Verizon is innocent. They might make a big deal over not restricting FaceTime, but they have to allow it (and Personal Hotspot) thanks to agreements they made with the US government for LTE spectrum. It’s only a feature because they were forced. And those of you in Europe and Asia? Man, when I worked in Europe back around 2000 it was paradise compared to the US. Now I hear it’s more like paying for a high-priced dominatrix who beats the crap out of anyone else who looks at you funny. And that still beats Australian providers, who are friggin’ Mother Theresas compared to *Canadian* providers. So I hear. Then again, us Apple folks live in paradise compared to all the hacked-together Android phones you can’t update, which carriers load down with their “value add” user interfaces and crapware. I don’t mind the carriers making money, and I don’t mind paying for my data, but they clearly haven’t figured out that brand loyalty and happy customers might, just possibly, come from a positive user experience beyond “Oh good, I didn’t lose this call.” Instead of adopting the traits that made Apple so popular, they are trying their damndest to maxmize revenue and reduce churn through penalty-based lockin. But it could be worse. They *could* start smashing your head against a wall of glass shards while calmly stating “your call is very important to us,” like cable companies. On to the Summary: ##Webcasts, Podcasts, Outside Writing, and Conferences * [Mike quoted in this Silicon Angle series on CyberWars](http://siliconangle.com/blog/2012/08/07/cyberwars-caught-in-the-crossfire-cyberwars/). Probably too much hype here and overuse of buzzwords, but decent perspectives on the attackers. [Part 1](http://siliconangle.com/blog/2012/08/07/cyberwars-caught-in-the-crossfire-cyberwars/), [Part 2](http://servicesangle.com/blog/2012/08/08/cyberwars-2-welcome-to-the-wild-wild-west-cyberwars/), [Part 3](http://servicesangle.com/blog/2012/08/09/cyberwars-3-a-new-business-reality-cyberwars/) * Rich quoted [about a not-so-great mobile study](http://securitywatch.pcmag.com/none/302447-problems-with-pew-s-mobile-privacy-study). ##Favorite Securosis Posts * Adrian Lane: [The Five Laws of Data Masking](https://securosis.com/blog/the-five-laws-of-data-masking). I pulled another classic Securosis post for this week’s fave. * Mike Rothman: [Incite 1/25/2012: Prized Possessions](https://securosis.com/blog/incite-1-25-2011-prized-possessions). Evidently we don’t blog any more (doh!), so we have taken to digging through the archives and highlighting pieces from the past. Here is an Incite I wrote back in January, and it reminds me of what’s important. To me, anyway. * Rich: Mike starts his new DDoS series — [Defending Against Denial of Service (DoS) Attacks](https://securosis.com/blog/defending-against-denial-of-service-dos-attacks-new-blog-series) ##Favorite Outside Posts * Mike Rothman: [It’s More Important to be Kind than Clever](http://blogs.hbr.org/taylor/2012/08/its_more_important_to_be_kind.html). Most businesses are always striving for improvement. But at what cost? This HBR post puts things in the proper context. _”Just make sure all their efficiency doesn’t come at the expense of their humanity.”_ * Adrian Lane: [Tracking Down the UDID Breach Source](http://intrepidusgroup.com/insight/2012/09/tracking-udid-src/). The thoughtful quest to figure out the UDID breach source. Well done! * Rich: Verizon’s [third post in a series on opportunistic attacks](http://securityblog.verizonbusiness.com/2012/09/11/ask-the-data-on-opportunistic-attacks-part-3/). I may pick on the wireless side, but the Verizon Business security guys are our best industry source for data driven reports right now. ##Research Reports and Presentations * [Understanding and Selecting Data Masking Solutions](https://securosis.com/research/publication/understanding-and-selecting-data-masking-solutions).

It seems like so long ago that I read the Opposites board books to the kids when they were toddlers. And it was. Today XX2 and the Boy turn 9. It’s hard to believe how quickly the time has flown. Just yesterday I was emailing with an old colleague and I figured his youngest daughter must be in college by now. Turns out she graduated last year and is now in a PhD program. I’m no spring chicken anymore, that’s for sure. On a more dour note, yesterday we remembered the tragedy of 9/11. For us the contrast between 9/11 and 9/12 couldn’t be more pronounced. When the twins were born in 2003, the emotions around 9/11 were still very raw. Yet, after a challenging pregnancy, including carrying close to 13.5 pounds of baby for 37 weeks, the twins showed up the day after. Talk about opposite emotions. But that’s not all that’s opposite. I look at the twins now and they seem like polar opposites. It’s not just their respective genders. XX2 is loud and over the top. The Boy is pretty shy and reserved. Their interests are different. Their strengths are different. Their weaknesses are different. What they eat is different too. It’s like looking at Yin and Yang every day. Obviously dealing with opposites can be challenging at times. But we not only tolerate, we embrace their individuality. We push the kids to be their own people and have their own interests. To find their likes, understand their dislikes and hopefully spend more time doing the former than the latter. They need to embrace the fact they are different from each other, from XX1, and from us. Even though they were born on the same day, that shouldn’t define the twins or their relationship. It was funny visiting camp with them, where we met a bunch of folks who had no idea they were twins. Brother and sister clearly, but also individuals. They weren’t constrained by being in the same grade, getting on the same bus, or having the same family friends. They could just be XX2 and the Boy. They’re lucky, as they’ve always had someone to play with and talk to, even before either could really talk. It’s true that many siblings have that kind of bond, but with twins it’s different. They not only share a birthday, but they share some kind of strange bond that outsiders can’t understand. They probably won’t appreciate it until they get older, but they don’t need to. For now, we’ll live in the moment and wish them a Happy 9th Birthday! -Mike Photo credits: Yin Yang Candy originally uploaded by FadderUri Incite 4 U Research, not hyperbole: The first I heard of the supposed AntiSec/FBI/Apple UDID ‘hack’ last week was via email from a journalist I respect. He was checking in on the plausibility of the scenario. I was out of the office, but after a bit of research my response was (real cut and paste here): “I can’t really say anything informative. Could be true, could be BS, could be data they got from another source and then are pretending is from the FBI. No real way to know what’s true, and the folks who do this sort of thing like using a lot of disinformation.” Thanks to David Schuetz (@DarthNull) we have evidence the data came from an app vendor. The initial denials from the FBI and Apple, and the vendor saying they think it was them, reinforce this. As we continue our journey into the days where chaotic actors directly manipulate the press through social media, perhaps we should keep a little skepticism on the table. (Great work David!) – RM Targeted, not targeted attacks: It’s great that guys like Jay Jacobs have the time to mine security data and sometimes come across some pretty interesting ideas. Many of us make decisions mostly based on anecdotal evidence, which is usually close enough to point you in the right direction. But being able to analyze and quantify things can be cool. Jay just finished up a series examining what he calls opportunistic attacks (Part 1, Part 2), which are basically non-targeted attacks. But that gets back to how you define targeted. We tend to think about a targeted attack as focused on a specific organization, but as Jay shows, the bad guys are actually targeting by focusing their recon activities. They looked for a specific port, usually sending just one packet, and if they didn’t find it open, they moved on to the next target. Evidently it’s a big world and they don’t want to spend a lot of time going deep into a site to find an issue that may or may not be there, so they just move on. So these attackers are actually targeting, but a specific vulnerability rather than a specific victim. – MR A long way to go: Tom’s IT has a visual history of cryptography. What struck me, when looking at cryptography in this way, is how backwards it all seems. Simplistic, unscientific, and less than parlor trick obscurity. It dawns on you just how bad cryptography has been until very recently, and with the rate of change we are seeing, how much further we need to go. When I learned cryptography, DES was widely used and shipping 40-bit encryption algorithms out of the country would get you locked up for violating federal munitions restrictions. There was still a sense of mystery to it. Like most technologies, we have improved exponentially at algorithms and understanding attacks in just the last 10-15 years. But something about this visual representation makes me think we are still in the dark ages of this science. – AL Maximizing your pen test: Good post here on the SpiderLabs blog about how to get the most from your pen test. Yes, it’s a lot of common sense, but that’s okay. Far too many folks apply precious little sense in their daily activities. Their point is to

I thought 35 years later, Voyager 1 is heading for the stars was very cool. It brought back many memories of starting my career at Jet Propulsion Laboratories. Voyager had been in space for a decade when I started there, but these satellites were just starting to send the stunning images back from Saturn and Jupiter. Every morning people got into work early just to see what data was sent back from the night before. Friends were processing the images, doing error and color corrections, and we were seeing other planets up close and personal for the first time. We used to get copies provided to us as employees, many with color enhancement to highlight certain features of the planets and moons. It added an element of excitement to my early career that almost made us forget we were at work. And it was fun working there. JPL teemed with really smart Caltech grads with math skills beyond most mortals. I got to see Carl Sagan speak – twice. I got to see artifacts from the rocket projects that nearly burned down the Caltech campus, and prompted JPL’s creation in the back canyons of La Canada – where they were unlikely to set anyone else on fire. I went on tours of many of the projects, control centers, and laboratories where components of space vehicles were tested. And there were many other satellite projects going on at the time, like the Galileo Spacecraft, which was in many ways more impressive that Voyager. Sure, doing mainframe and dBaseIII+ database programming seemed mundane in comparison, but what I was actually being paid for was just a small part of working there. Stuff like Voyager got me interested in science and technology, and at the time I thought I was working in one of the coolest places on the planet. It helped pushed me through college because I knew there was way more interesting stuff going on outside – in the real world. Where else could you go see wind tunnels and rocket engines and hand-held nuclear reactors and giant gold-plated radio antennae during your lunch break? The back lot was quite literally a bunch of “space junk”, with things like a platform that held the lunar rover on the Apollo spacecraft during its trip to the moon just lying in the weeds. How freakin’ cool is that? And I marvel at a simple, fragile appliance that was catapulted into space at catastrophic speeds, through planetary rings and heated fields of plasma. Something designed and built before the Apple II was even available for sale. But it continues to function and send back radio data to this day. Amazing. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in a Silicon Angle series on CyberWars. Probably too much hype and overuse of buzzwords, but decent perspectives on the attackers. Part 1, Part 2, Part 3 Mike’s Dark Reading column on tough choices. Rich will participate on Protecting Your Digital Life August 22.. Adrian joined Rich and Martin on The Network Security Podcast, episode 285. Adrian won the Nimby Award for Best Identity Forecast Blog. Favorite Securosis Posts Mike Rothman: Gaming the Tetragon. Since we haven’t written much new stuff of late, I figured I’d go back and mine some of the classics of yore. My recent rant on Earning Quadrant Leadership wasn’t the first time I made similar points about the MQ. The first was a couple of months after I joined Securosis, in this post complete with a fancy picture. Users should pay attention to this stuff because if your preferred solution isn’t in the ‘right’ quadrant you might not get to buy it. So you need to game the system from both sides. Adrian Lane: Database Connections and Trust. This week I pulled out an old post to show the app developer mindset – when it comes to data storage and non-relational environments these issues are even more important. Other Securosis Posts Incite 9/4/2012: Dealing with Dealers. Friday Summary: August 31, 2012. Favorite Outside Posts Adrian Lane: Advanced Exploitation of Xen Hypervisor Memory Corruption Bug. On the more technical side, but this is interesting. Mike Rothman: Mobile Attack Surface. GP does it again. Great post here expanding on some of Jim Manico and Jim Bird’s work on defining mobile attack surface. This quote is right on the money: “I use the Attack Surface Model in combination with a Threat Model to identify and locate countermeasures.” Mobile devices are necessarily different and we need to start thinking about how our security is gong to necessarily change. Necessarily. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find Infected Devices. Malware Analysis Quant: Metrics – Define Rules and Search Queries. Malware Analysis Quant: Metrics – The Malware Profile. Malware Analysis Quant: Metrics – Dynamic Analysis. Research Reports and Presentations Understanding and Selecting Data Masking Solutions. Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks. Implementing and Managing a Data Loss Prevention Solution. Defending Data on iOS. Malware Analysis Quant Report. Report: Understanding and Selecting a Database Security Platform. Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform. Top News and Posts Hacker ‘steals’ Hertfordshire Police Database. Anonymous Leaks Apple UDIDs Following Alleged Hack of FBI. How the FBI might’ve been owned (12M Apple records). FBI Says Laptop Wasn’t Hacked; Never Possessed File of Apple Device IDs. Confirm nothing. Deny everything. Make counter-accusations. That’s the playbook. Apple Releases Fix for Critical Java Flaw. Hacker steals $250k in Bitcoins from online exchange Bitfloor. FBI Arrests Suspected LulzSec Hacker For Sony Pictures Attack. Right here in the greater Phoenix area. Huh. Adobe fixes Photoshop heap overflow. McAfree has detected 1.5 million new malware samples in the last three months. A Handy Way to Foil ATM Skimmer Scams. TSA Denies Stonewalling Nude Body-Scanner Court Order. Blog Comment of the Week Remember, for every comment

Back in March I mentioned it was about time for a new set of wheels. Of course nothing happens quickly in my world, so it wasn’t until mid-June that I got serious about a new car. You’d figure a guy like me would relish the opportunity to sit across from a car salesperson and beat them into submission to get the best deal. I’m not the kind of guy to blink, and I’d just as soon walk out if I don’t get what I want. Turns out I’ve been there and done that, and despite living to tell the tale, I have learned there is a better way to skin this specific cat. Of course, not everyone gets this or is willing to listen to a different approach. I remember 8 years ago when my in-laws told me they were going to test drive a new car. I told them not to buy the car that day. Just go in and test drive it. That I’d help them and save them some money. Sure enough they had to drive over to show me their spanking new generic car that they bought right off the lot. From the first dealer they visited. They got a good deal. That was their story and they were sticking to it. But they pretty much got raped. Hard. I just shook my head. But you know, they felt good about it, so I wasn’t about to piss in their oatmeal. But going into a car dealership and buying a car is a pretty stupid way to do things. Regardless of how good a negotiator you are, if you go into a dealership to negotiate for a car you’re doing it wrong. About 10 years ago I was introduced to a service called Fighting Chance. It’s pretty much a research service for car buyers. I get the power of research and tracking trends and leveraging other folks’ experiences to save time and money. That’s what I do for a living, after all. The fine folks at Fighting Chance teach you how to buy the car based on what’s really happening in the field, give you information about promotions and deals, help you figure out the data you need to compare apples to apples, and provide target values for recent sales for the model you are looking for. The service is awesome. It costs something like $40 and has saved me thousands. Their idea is that a car is a commodity. If you live in a typical metropolitan area, each car brand has 10-25 dealers within a short drive who will be happy to sell you a car. The exact same car. It’s not like Dealer A has a different Honda than Dealer B. You don’t buy a commodity by dealing with one seller. Not if you’re smart, anyway. You buy a commodity by getting dealers to compete with each other. I won’t give away the exact process (you should buy the service), but it involves getting dealers to bid against each other. I was able to buy a brand new current model Honda CR-V substantially under invoice by getting bids from 5 local dealers. I handled the process via email and a few phone calls, and it took me a couple hours. By the way, most car dealers hate this approach. They prey on folks who don’t know what they are doing. But it turns out that smart dealers focus on volume and make it up on the back end through incentives and other payments from the manufacturers, with far higher margins on services and trade-ins. These folks love guys like me, since I know exactly what I want and can get the transaction done in an hour. Notice I said CR-V, not Prius V, my preference back in March. Both the Boss and the dealer pointed out to that driving only about 7,000 miles a year means negligible savings in gas, and for 10% less I could get the fully decked-out CR-V instead of a mid-level Prius V. And they were right. Who said I’m inflexible and rock-headed? –Mike Photo credits: USED CAR SALESMAN KITTY originally uploaded by victoriafee Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Pragmatic WAF Management Securing the WAF Application Lifecycle Integration Policy Management Incite 4 U Showing your true colors: Great post by Conrad Constantine about maintaining your sanity when dealing with a high profile incident. He should know – he was at ground zero for a pretty serious one. He points out that you’ll get to meet some pretty big wheels in your organization, and they will want answers and direction. Even if you don’t have any. He starts by telling you to keep a timeline of exactly what happened. Even if that information never sees the light of day (and likely it won’t) you need it. Conrad provides tips for playing above your pay grade and living to tell about it, and talks about the reality behind the PR spin machine. His point that it always ends at some point, and things go back to the new normal, are exactly right. But the best idea in the post is the reality of how people behave under duress: “Before anything else, no matter what field you work in during times of crisis you will see everyone’s true colors brought forth – not least of which – your own.” What he said. – MR Security Bypass: It’s not that IT users thumb their noses at IT security, as claimed by the author of this analysis of the iPass Mobile Workforce Report. But users sidestep anything that makes work more difficult. If the impediment is security controls on applications or data usage, users find ways around it. Mobile