Research

Aspartame is toxic, so they renamed it AsparSweet(tm) to confuse consumers. GMAC was fined for mistreating customers and accused of violating state laws, so they renamed themselves Ally. Slumping sales of high fructose corn syrup, a substance many feel contributes to obesity and reduced brain function, inspired the new name “corn sugar”. Euro bonds are now “stability bonds”. Corn-fed stockyard beef can now be labelled ‘Organic’. And that is that whole weird discussion on whether pizza is legally a vegetable or not. How can you generate better sales in a consumer hostile market? Change names and contribute to politicians who will help you get favorable legislation, that’s how! Like magic, lobbying and marketing help you get your way. In this week’s big news we have the Stop Online Piracy Act. Yes, SOPA is a new consumer-hostile effort to prop up an old economic model. And as we witnessed for the last decade with RIAA and the MPAA, entrenched businesses want the authority to shut down web sites simply on the strength of their accusation of infringement on their IP – without having to actually prove their case. We know full well that a lot of piracy goes on – and for that they have my sympathy. We here at Securosis get it – our content is often repurposed without consent. But – as you can see here – there are other ways to deal with this. As I have written dozens of times, there are economic models that curtail piracy – without resorting to DRM, root-kitting customer PCs, or throwing due process out the window. The Internet is about exchange of information through a myriad of (social) interfaces for the public good. It has created fantastic revenue opportunities for millions, and is an invaluable tool for research and education. One downside is content theft. I am all for content owners protecting their content – I just want it to be done without undermining the whole Internet. SOPA is the antithesis – its sponsors are perfectly willing to wreck the Internet to ensure nobody uses it to copy their wares. It’s the same old crap the RIAA has been pulling for a decade, in a new wrapper. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian on Top Down data security Mike on Cloud Security in Datacenter Terms Securosis Posts New White Paper Published: Applied Network Security Analysis. Incite 12/14/2011: Family Matters. Pontification Alert: Upcoming webcast appearances. Tokenization Guidance White Paper Available. Friday Summary, December 9, 2011. Favorite Outside Posts Mike Rothman: It Won’t Be Easy for Iran to Dissect, Copy US Drone. It’s good to see someone is thinking about the reality of reverse engineering. But I suspect Iran would only have to consult your friendly neighborhood APT to get the schematics for a drone (or any of our other military devices). Adrian Lane: Deconstructing the Black Hole Exploit Kit. A thorough look at an exploit kit – very interesting stuff! Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. Research Reports and Presentations Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Top News and Posts Why Iran’s capture of US drone will shake CIA. Nomination for the biggest personal washer (Individual) Poll Results for: Thursday, December 15, 2011. sIFR3 Remote Code Execution. Native webcam access in a browser using JavaScript & HTML5. Congress Authorizes Pentagon to Wage Internet War. Carrier IQ Explains Secret Monitoring Software to FTC, FCC. Security updates for Windows and Java–with a Duqu Trojan patch–via Krebs. Blog Comment of the Week No comments this week. Guess we need to post more stuff! Share:

There are a couple calls you just don’t want to get. Like from the FBI when you’ve had some kind of breach and your secret recipe is listed on eBay. Or from the local cops because your kids did something stupid and you can only hope your umbrella policy will cover it. But those are relatively trivial in the grand scheme of things. I got a call Friday morning that my Uncle Mac had passed away suddenly. I can’t say we were very close, but he met my aunt when I was a kid, and has been present at good times and bad over the past 35 years. Mac was a bear of a guy. Big and loud (okay, maybe it’s a family trait), but with a heart of gold and a liver of steel, given the crappy vodka he drank. He had the cleaning contract at West Point stadium for football games, so I grew up with a gas powered blower on my back, cleaning up football messes many Saturdays of my youth. He worked hard and got along with folks from all walks of life. He passed doing what he did most mornings, sitting in his big chair drinking his morning coffee. He made a peaceful transition to the next thing, and for that we’re all grateful. So my brother and I woke early on Sunday to travel to NY for the memorial service. A whole bunch of my family was there. Obviously my first cousins were there – Mac was their father figure. Most of my Dad’s first cousins (and he has a lot) represented, and a few of their kids showed as well. Even our own family Urkel showed up. Yes, you know every family has one and mine is no exception. It was great to see everyone (even Urkel), although it seems we only get together when something bad has happened. Soon enough there will be weddings and the like to celebrate and I look forward to convening on happier occasions. We even threatened to organize a family reunion. The logistics of pulling that off would be monumental, with family members spread across the country, but it’s worth trying. It reminded me that family matters, and as busy as life gets I shouldn’t forget that. Yet there are also family matters that a sudden death presents. Matters all too easy to sweep under the rug. You know, those economic discussions that rival a root canal. My aunt had little visibility into my uncle’s business dealings, and now she’s got to both find and figure out what needs to happen to wrap his business up. He also handled much of the bill paying. Now she has to figure out who is owed what and when. Your lawyer probably talks about estate planning (if you have an estate to plan) and tells you to make sure your stuff is properly documented, but this is a clear reminder that I have work to do. As much as you want to plan, you never know when your time is up. It’s hard enough for the survivors to deal with the emptiness and grief of the loss, especially a sudden loss. To add financial uncertainty due to poor documentation seems kind of ridiculous. Obviously no one wants to think or talk about their own mortality, but it’s not a bad idea to document the important stuff and let the folks know where to find what they need, and show your care for them. And remember to spend time remembering your lost family member. Tell stories about what a good person they were and funny stories about their quirks and crazy habits. Tell stories of their mistakes – no one is perfect. But most of all appreciate someone’s life in its entirety. The good, the bad, and the ugly. Then hold onto the good and let all the other stuff go. That’s what we did, and it was a great and fitting farewell to my Uncle Mac. -Mike Photo credits: “s. urkel jerk by alex pardee” originally uploaded by N0 Photoshop Incite 4 U Research timelines measured in decades, not zero days: In an instant gratification world, no one gets more instant gratification than computer attackers. Send phish, create botnet, do bad things quickly. Government can and should drive initiatives to address this gap, and help supplement private sector and university efforts. In the US those efforts are moving, as evidenced by the recent road map of cyber-security (that term still makes me throw up in my mouth a little) research priorities, as issued by the Office of Science and Technology Policy. But most security folks will ultimately be disappointed by any research efforts in our space. Why? Because we think in terms of zero days and reacting faster. Basic research doesn’t work like that. Those timelines are years, sometimes decades. Keep that in mind when assessing the success of any kind of basic research. – MR Worry when, on Android? Tom’s Hardware says Android Security: Worry, But Don’t Panic, Yet. So if not now, when? Google is in an apps arms race: They’re not slowing down to vet applications so we see a lot of malicious stuff. We know that anti-virus and anti-malware doesn’t work on mobile platforms. We’re not going to ride the same virus/patch merry-go-round we did with PCs – that’s clearly a failed security model. But so far we’re not doing much better – instead we have a “find malware/remove app” model. The only improvement is that users don’t pay for security bandaids. If Android does not fix security – both OS issues and app vetting – we’ll have Windows PC security all over again. But this will be on a much broader scale – there are far more mobile devices. The speed at which we install apps and share data means faster time to damage. So perhaps don’t worry today – but as a consumer you should be worried about using these devices for mobile payments,

I figure our lack of blogging has created a vacuum of mostly-useless security snark and babble. Who else can put so little content in so many words? But all is not lost – we continue banging away building content for the Nexus. Thanks to a few of our excellent clients, you have the opportunity to hear me ramble on about two of my favorite topics this week. If you need some excuse to get out of your root canal appointment, need to postpone that audit findings meeting, or perhaps just choose not to grovel for 2012 budget on Wednesday or Thursday afternoon, do a little clicky-clicky and join me for the following webcasts… Log Data is Not Enough! How to Supplement Logs with Network Security Analytics: On Wednesday 12/14 @ 1 PM ET, I’ll be joined by Solera Networks as we discuss how to react faster and better to attackers. I’ll be covering a lot of the content in our Applied Network Security Analysis blog series. Register here. Network Security – Measuring the Immeasurable: On Thursday 12/15 @ 2 PM ET, I’ll be joining RedSeal Networks to talk about security metrics and how to prioritize your security efforts based on data, as opposed to making stuff up. This event will be a more interactive discussion of some of the concepts discussed in the Fact-based Network Security paper. Register for the event here. There will be plenty of time during both events to ask questions. So hopefully you’ll be able to dial in and virtually heckle me on Twitter during the event. Looking forward to seeing you all at both these events. Share:

We are pleased to announce the availability of our latest white paper: Tokenization Guidance: How to Reduce PCI Compliance Costs. It discusses the dos and don’ts of replacing credit card data with tokens, to improve security while reducing PCI DSS auditing costs. Our primary goal was to help merchants understand how to employ tokenization to reduce PCI scope, as well as the costs of Payment Card Industry Data Security Standard audits. When we read the PCI supplement on tokenization guidelines we were shocked that it failed to provide concrete answers to the target audience’s most-asked question: How can I reduce audit scope? It felt like the paper was designed to lull us to sleep – it would raise topics we were interested in, but then ramble on without answers. But we are here to fix that, filling the gaps they left. This is the white paper the PCI Council should have written. The paper is the product of hundreds of hours of research and about a hundred phone calls to various merchants, payment processors, tokenization vendors, and qualified assessors. We make many controversial assertions but we stand by them – we have vetted the content through interviews in discussions with every expert we could reach. And we have subjected our analysis to open scrutiny by the payment community through our Totally Transparent Research process. We include an overview analysis for merchants and auditors, as well as a step by step guide which works through all the PCI DSS requirements which are directly affected when using tokens to replace primary account numbers. We are very happy that Elavon, Liaison, Prime Factors, and Protegrity have sponsored this white paper! We could not spend the hours of research required for a project like this without help from sponsors, and we are grateful for their support. You can get a copy of the paper from our sponsors, from our Research Library, or directly: TokenGuidance-Securosis-Final2.pdf Index of Posts Tokenization Guidance (new series) Tokenization Guidance: PCI Supplement Highlights Tokenization Guidance: Merchant Advice Tokenization Guidance: Audit Advice Share:

As Rich announced, we are shaking up the Friday Summary a bit. We will still talk about what we are up to. And we’ll share some of our personal – possibly security related – stories in the Summary. But we will focus on fewer stories with more analysis of interesting news items. Honestly, we’ll likely sneak in security news as well – it just depends on whether we see interesting stuff. Story of the week: DNSCrypt The big news this week is the ‘preview’ release of DNSCrypt from the OpenDNS group. As its name implies, DNSCrypt is a tool to encrypt Domain Name Service lookups to avoid evesdropping and deter Man-in-the-Middle (MitM) attacks and tampering. Note that this is not DNSSEC, which was designed to enable users to detect tampering, and to authenticate DNS DNS answers. DNSSEC was not designed to encrypt DNS requests, which leaving requests unprotected from monitoring by ISPs and other parties; DNSCrypt fills this gap by encrypting requests and responses. I understand from the press release that this is currently a Mac OS X only package, so Windows and Linux users will have to wait. The installer is dead simple and the configurations settings are conveniently placed into the ‘Other’ section of System Preferences. And I can tell you this is one of the few End User Licensing Agreements I have ever read because, in a very Securosis-like style, there is no lawyer BS included. Took about a minute to download and another to install, and no restarts were required. I ran OpenDNS with DNSCrypt enabled, both over SSL on port 443 and without, and did not notice any performance difference. The packets appear to be encrypted as advertised – but they could be using a ROT13 cipher for all I know, given the minute I spent looking at the stream. I have not, and probably will not, review the source code – I assume there are better qualified people with more free time on their hands (i.e., those not filling the Nexus with great new content) who will. And I look forward to hearing what the community thinks about the implementation, as I think this will be a highly sought-after addition for those interested in security and privacy. The key takeaway here is that DNS requests should be safe from spying and MitM, provided someone cannot impersonate the DNS service. There is a small but real chance of this. For average users this is a very real advance in security and privacy! If you’re an IT manager you should check it out and see how well it performs for you. There may be issues – it is an early release product after all – but this dead-simple tool enhances security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading post on Work and Play in Security. Adrian’s DR post on DAM. Rich quoted on Carrier IQ. Don’t tell Rich, but somebody thinks he’s an ‘influencer’. Securosis Posts Incite 12/6/11: Stinky. Friday Summary: Big Changes and Carrier IQ. Favorite Outside Posts Mike Rothman: Best Job Description Ever. This is how security folks should think about their jobs. Kudos to Quicken Loans for making their philosophy on security very clear, before applicants start the hiring process. It doesn’t hurt that their ideas are right on the money. (h/t Alex Hutton) Adrian Lane: Ask Slashdot: To Hack or Not To Hack. How many times have I said that in the ‘landgrab’ for mobile payments, security is left on the roadside, thumb in the air? You don’t have to guess too hard who this is! Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. Research Reports and Presentations Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Sripathi Krishnan, in response to last week’s Friday Summary. Rich, I have been a lurker on your blog for a long time now. I am a developer by profession, and security is a small but important part of what I do. Consequently, I do not spend much time on twitter or other ‘new media’ to stay up to date on this field. Friday Summary and the Incite give me a great perspective and insight on this field. ‘Read these two columns, and you will not miss anything significant’ has been my attitude. I would definitely miss the random list of articles. Please don’t exclude that. I know you have been complaining that people don’t leave comments. I am guilty of that. Hopefully, this comment of mine can influence you to not change the Friday summary too much. Thanks for the great work! And thank you for the great feedback! Share:

I have a younger brother. It was just the two of us (and Mom) growing up, so I find myself ill suited to dealing with girl stuff. Thankfully the Boss is wonderful at working with the girls on how to deal with bullies/mean girls, and this physical maturation process that seems to happen to girls. One day they are all cute, young and innocent; the next day you’re shopping for bras. Thankfully the Boss handles that duty as well. I’d favor the model that is bolted onto their respective rib cages, and don’t get me started on chastity belts… But when it comes to the Boy, I’m all over that. He’s a pretty active kid. Most days he likes to head outside with his buddies in the cul-de-sac, and plays some kind of sport. For years he came back in, washed his hands and was good to go. Not so much any more. Over the summer we had a few situations where you could smell him way before he got back into the house. That’s when we realized our little boy is growing up, and after enough activity he smells like a locker room. So we had a little chat. I started with the importance of smelling good because the girls don’t like stinky boys. He blurted something out about cooties, so maybe that didn’t resonate as well as I hoped. Next I tried to explain about being considerate to the rest of his family, who shouldn’t be subjected to stink-o-rama. Yeah, that didn’t go over well either – he’s still enamored with the pull my finger game. Then I realized that most boys want to emulate their Dads. I took a quick run into my bathroom and emerged with the prize: a new stick of deodorant. He was very excited to use my deodorant and was pretty consistent about using it. In fact, the Boy was sitting next to the adult sister of one of our friends (no, this isn’t some Penn State story) and she noticed he smelled pretty OK, especially for an 8 year old. So she asked him why he smelled good, and he deadpanned, “Because I wear deodorant.” Then he went right back to his video game. Out of the mouths of babes. I thought he was in a good place regarding hygiene, until this past weekend. I took him over to a friend’s house to watch the football games on Sunday. He literally played football outside for about 4 hours, and by the time he got back inside he smelled like a compost pile. I was a little surprised, and asked whether he put his deodorant on. Of course, he gave me the 8-year old “oh well” shrug. I reminded him of the importance of not smelling like crap, and figured he was ready for the next step in his man training. Yup, I taught him the arm pit sniff. Now he should be able to tell, proactively, when it’s time for a deodorant refresh. But I’m not teaching him everything yet. I’ll wait a little while to introduce the underwear sniff test. That’s only for advanced students. -Mike Photo credits: “Warning: Politician Ahead!!!” originally uploaded by The Rocketeer Incite 4 U Security company does (some) good: As a skeptic it’s hard to find anything good in security, but let’s tip our hats to Barracuda. They are running a campaign to donate meals for children during the holiday season. Working with the United Nations World Food Programme to fight hunger, Barracuda will donate meals for every user that participates. How do you get involved? Follow @BarracudaLabs on Twitter, ‘Like’ them on Facebook, or just install their free Profile Protector, and they will donate a meal to the UN programme. It’s a no-cost way to donate food through the holidays! – AL The APT who shall not be named: Kudos to Bob Bragdon for slaying the sacred cow of political correctness and making (in print) the connection between the ‘APT’ and China. We have actually been saying for a while that many of the persistent attackers out there are state-sponsored, and that state is China, all while comparing them to Voldemort. What’s funny to me is the folks who use APT to justify a logical evolution of security. Like Jon Oltsik, who jumped on the APT hype train and did a survey. Magically enough, users told him existing tools aren’t working very well. And in terms of the future view, what end-user doing anything today wouldn’t say “Security tools need to be smart enough to detect and react to suspicious behavior, anomalous activities, and attacks in progress.” That’s ground-breaking! But here’s the newsflash: this evolution has nothing to do with APT. Simple detection has been ineffective for years. And even if we get to this so-called ‘smart’ security tool, I’ll take the Red Army every day of the week. All they have is time and money, so they will get in. Though maybe Bob B should try out this SkyNet contraption on his home network, since Voldemort is no doubt coming for a visit. – MR Coding conundrum: IBM is using a developer scorecard to measure the productivity of its developers. That’s good. And it sucks. As pointed out by Neil McAllister on his blog metrics typically devolve into measuring lines of code, which does more harm than good. But here’s the conundrum: all metrics suck, but you you need them regardless. Any individual metric only shows a fragment of the truth, and there is no ‘best’ metric. By themselves, most development metrics I have used were misleading to some degree, so I used different collections to show trends and warning flags. I used them as a cue to dig deeper and understand why some metrics were skewing in a certain direction. Use metrics, but don’t assume what they indicate without some digging. I applaud IBM for quantifying productivity, but warn users to be careful how they use any metrics in practice. – AL Don’t

Back when we started the Friday Summary the world of blogs and social media was much different. RSS feeds were the primary means by which most of us sucked down our news, and we tended to communicate through cross-blog links and comments. Our goal with the Summary was to provide a good way to highlight what we have been to up every week, while also sharing some nice link love with our friends and strangers (all in an email-friendly format). We also wanted to highlight good comments and use that as an excuse to donate some cash back to the non-profit side of the community. Since then a lot has changed. People blog a lot less, and there are far fewer discussions across blogs commenting on each other’s posts. Much of this has gone over to Twitter – which is sometimes good and sometimes bad. We also brought Mike on board and restarted the Security Incite which covers at least 6 stories a week. So I think it’s time to shake up the Summary a bit and switch its format. Moving forward (as in, not this week) we will highlight the 1-3 top stories we think you need to pay attention to, why, and point out any angles we think folks are missing. After that we will continue to list what we have been up to, but you don’t need us to provide you with a random list of articles on the Internet. Some weeks we might not highlight a comment of the week, but we will still donate on a weekly basis to different charities related to the security world. We may also pick out a particularly good Nexus question instead. We hope you like the new format, and all feedback is appreciated. The Story of the Week: Carrier IQ The big story this week seems to be the saga of Carrier IQ – logging software installed on many phones, mostly by carriers, that enables them to log pretty much everything you do on your device. Yes, even your banking passwords. This became public thanks to the hard work of Trevor Eckhart and was quickly picked up by big media like Wired’s Threat Level. The story quickly hit the (mostly uninformed) spin machine. The short version is that Carrier IQ is software with the potential to log pretty much everything you do on your phone, and some but not all carriers install it on your phone without telling you or giving you a way to turn it off. From a privacy standpoint this is, of course, a crappy thing to do. But all the hype does highlight some hypocrisy: Your phone carriers already log all your calls, text messages, and web URLs you visit. Google and all the ad tracking networks work hard to log everything you do on the Internet. As I made fun of this on Twitter, I got some very thoughtful responses that highlighted the big differences between this and other privacy-invading stuff: @adamshostack: I generally agree, but CarrierIQ was surreptitious. I’m deeply privacy aware, didn’t know they were on my phone till this morning @davienthemoose: google logs my keystrokes on my banking site? 😮 While I still consider most web tracking surreptitious, at least there’s something you can do about it. With your phone you are locked in unless you change devices and/or carriers, and even then you might still have it installed. And there is definitely a difference between a keystroke logger and a URL tracker. So I stand corrected. Thanks to Twitter. Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted on Oracle database patching. Liquidmatrix Cyber Expert Interviewed (on TV). See one of our favorite Canadians, our own contributor Dave Lewis, on TV to discuss the Anonymous threats against the Toronto Government. Securosis Posts Incite 11/30/2011: An Introverted Thanks. Changing Focus through the Holidays. Fundamentals of Crowd Management. Occupy Work. Mobile Payments without Credit Cards. Index of Posts: Security Management 2.0. Incite 11/16/11: Blockage. FireStarter: Looking the other way. Favorite Outside Posts Mike Rothman: Are you positive? Jack Daniel discusses the Achilles’ heel of any detection technique: the false positive. Read it. Adrian Lane: DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists. Hacks, fraud, money mules, and DDoS – this story has it all. Gunnar: Best statistics question ever. See if you can find the right answer. Research Reports and Presentations Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. This week we will be making a donation to Brad “theNurse” Smith. Share:

As with most things, I have mixed feelings about the holidays. Who doesn’t enjoy a few days off to recharge for the end-of-year rush? But the holidays also mean family, and that’s a good thing in limited doses. I’m one of the lucky few who gets along with my in-laws. They have an inexplicably high opinion of me, and who am I to say they are wrong? But by the fifth day of being surrounded by family over Thanksgiving weekend I was fit to be tied. I spent most of Saturday grumbling on the couch, snapping at anyone who would listen. And even those who didn’t. Thankfully my family ignores me, and suggested I stay back when they went to the fitness center pool. I was much better when they got back. I was able to recharge my social batteries – I just needed a little solitary confinement. Why? Because I’m an introvert – like all introverts, the longer I’m around people the harder it is for me to deal. I found this great guide to dealing with introverts from The Atlantic, and it’s right on the money. I like to say I’m anti-social but that’s really not the case. But I only enjoy people in limited doses. I remember reading, a few years back, Never Eat Alone, a guide to networking. There is a lot of great stuff in that book, which I will never do. I actually like to eat alone, so most days I do. That’s really what I’m thankful for this year. I have a situation where I can be around people enough, but not too much. For me that’s essential. But that’s not all I’m thankful for. I’m thankful for all the folks who read our stuff, who have bought my book, and who show up to hear us pontificate. When I explain what I do for a living most folks say, “really?” For the record, nobody is more surprised than me that I can write and speak every day and pay my bills. It’s really a great gig. So thank you for supporting our efforts. And I’m also thankful that the important people in my life tolerate me. Obviously Rich and Adrian are getting used to my, uh, quirks. They haven’t voted me off the island. Yet. My kids are growing into wonderful people despite their genetically similarity to me. They continue to amaze me (almost) daily, and usually in a good way. But most of all, I have to thank the Boss. We just celebrated our 15th year of marriage, and although there have been a number of great days in my life, the day we met is in the Top 4. She holds it all together, keeps me grounded, and lets me, well… be me. She has never lost faith, no matter how bumpy things got. I can only hope my kids are lucky enough to find someone who supports them like The Boss supports me. Yes, I need my alone time, but without my partners (in business and life) I would be nowhere. Now is the time to remember that. So think about all those folks who allow you to do your thing, and thank them. Especially a week after Thanksgiving – after they thought you forgot. Got to keep them on their toes, after all. -Mike Photo credits: “Thank You Trash…” originally uploaded by Daniel Slaughter Incite 4 U Can we call this a false positive? The major media was buzzing over the short pre-holiday week with reports of a foreign cyber-attack that took down a water pump in Springfield IL. Too bad it didn’t happen – it was an authorized contractor trying to troubleshoot stuff over a connection from Russia (where the guy was traveling on business). What perplexes me is how such a volatile piece of news could get out without corroboration or investigation. Who’s at fault here? The Illinois Statewide Terrorism and Intelligence Center, or the so-called expert who alerted the media? Probably both, but this kind of Chicken Little crap doesn’t help anything. If a water pump goes down, what is the danger? It’s not like the water supply was tampered with. At some point, a cyber-attack will happen. Let’s hope there is more and better information next time – and that it turns out to be as harmless as this incident. – MR No app for that: Good on Chris DiBona for calling anti-virus vendors “charlatans and scammers”. Your average mobile phone user does not know – and does not want to know – the differences between viruses and malware. But developers know the risk vector is not viruses – it’s malicious apps that users willingly install because they don’t know any better. And these bad apps behave like every other app, so it’s not like signature-based detection can help! Of course that does not prevent AV vendors from spewing FUD and selling their wares to the unsuspecting public. It’s refreshing to see a developer sound off without being muzzled by the HR and legal teams, because he is right – AV will not provide any greater protection than what your platform provider offers by yanking malicious apps from their app store. – AL Burn the house down: Before I go any further, I do think the hack these researchers came up with attacking printers is interesting. They figured out that the firmware updates weren’t signed, and were merely sent over as part of a print job. There’s a lot of hyperbole on this one that I will ignore, but printers really are something you should be paying attention to – especially multifunction devices (MFDs). I co-authored a Gartner note about these risks back in the day – among other things they often have insecure web servers built in, keep copies of everything faxed or printed on local hard drives, etc. And a lot of you probably outsource your printer support – like the client who told me their vendor insisted on full VPN access

Hey everyone, As you may have noticed, we are pretty focused on this Securosis Nexus thing we have been working on for a while. The system is coming along great, but it’s time for us to start hammering on its content. So through the end of this year we will be blogging on a reduced schedule. We will still hit you with the weekly Incite and Friday Summary plus our research projects, but day-to-day blogging will subside a bit (as it already has) so we can focus on writing for the Nexus. Unless, of course, something really tweaks us off and we need a good rant. Share:

I have joked over the years that I’m more qualified to run security at a stadium concert than an IT shop, and it’s somewhat true. My security career started way back at the young age of 18 when I started working on the event staff at CU Boulder, and for Contemporary Services Corporation (CSC), who managed most of the Denver venues. By 21 I was running security at CU and supervising for CSC – managing or supervising sports, music, and other events ranging from under 100 people to over 100,000. Sometimes I was in charge, sometimes I just managed one area, and I was often a rover/troubleshooter. I did this multiple times a week for about 4-5 years (including working summers at Red Rocks), then dropped down to occasional contract work for bigger events after that. Including some with extreme logistical complexity, high risk profiles, or other complicating factors. (Like the time my employees called to ask why the bomb squad was walking around and Secret Service snipers were in the rafters). I was also fortunate the the people I worked with were true professionals. Crowd management is an industry filled with low-bid/minimum-wage contract firms with very poor work ethics and management. CSC are the guys who run the Super Bowl and most other ‘massive’ events, and I learned a hell of a lot from them and running my own teams. I have been watching a lot of the coverage of the Occupy movement and the police response and see a series of common, preventable mistakes being made over and over. Rather than specifically criticizing YouTube clips without context, here are some of the fundamental principles I learned over the years with comments on mistakes I see. Deescalate. Always. – The single most important fundamental is that crowd management is all about deescalation. You’ll never outnumber the crowd… and the more tension rises, the greater the chance of physical conflict or transitioning to a riot. There are always more of them than of you. Peer security is more effective than policing – Peer security the principle of staffing the event with demographic peers of the attendees. Police are law enforcement officers, and so they naturally and unavoidably escalate any situation they are at, by the role they play in society and the weapons they carry. Unarmed peers of the crowd have much greater flexibility in response – they are not required to arrest or enforce all laws, they are not perceived as the same kind of threat, they do not carry weapons, and they do not have arrest authority. Weapons are not your friend in a crowd – Crowds are messy, fluid affairs that make it impossible to maintain a safe stand-off distance. I have never met an intelligent police officer who went into a crowd without more than a little fear that someone would try to grab their OC spray, handgun, or other tools. Where I worked, peer security would go into crowds and pull people out for the police – who would almost never enter the crowd itself. Know your crowd – You can fully predict the behavior of a crowd if you know the demographic and environmental conditions. I know how everything from the weather, to ages, to kinds of music affect a crowd… and it isn’t what you’d think. For example, serious injuries (and deaths) were far more common at Grateful Dead and Blues Travelers shows than metal bands with mosh pits. Slow and steady wins the race – When dealing with an uncooperative but nonviolent crowd, you have to eat at it bit by bit. From dispersing a crowd to ejecting a big group, you have to handle it piece by piece and person by person – even when force is used. That goes for removing tents (yes, I have had to do that at ‘campout’ events) and clearing the aisles at a Dead show so people could move around. The more authority you have, the less you should look like security – This was one of my favorite tricks – when I ran events I rarely wore an event staff shirt. As the last person able to deescalate most conflicts before turning someone over to the police, the more I looked like a normal person or non-security staff the better. If they think you’re with the band/team, even better. Defense in depth – Crowd management is like IT security – you need multiple people with different specialties, properly trained and positioned. For example, I hated going into a mosh pit without a spotter. At a large stadium show I might have 500 people working for me. We’d have rovers, ticket takers, people inside and outside, folks dedicated to ejections, supplementing medical (to help them through the crowd), and more. When you need to use force, don’t hesitate, but don’t hit – I have no problem using force when it is needed (and we frequently had to, especially to break up fights). In a crowd your goal is to get the person out of the crowd as fast as possible. You never punch or kick… that is excessive use of force (the exception is when you are in serious danger yourself). Your goal is to solve the problem without anyone getting hurt. Deescalation, remember? Spontaneous crowds aren’t riots – I sometimes dealt with spontaneous crowds appearing where we didn’t expect them, which weren’t tied to a normal event. Usually these were campouts, but I was also called into a few protests and such when the police wanted trusted people in the crowd but not uniformed officers. All normal crowd dynamics still apply. Riots are for the police – Crowds need peer security. Riots need cops and all the OC spray you can get your hands on. A riot is an uncontrolled situation where mob behavior takes over and there is serious damage to life/safety and property. I was at a Guns ‘n’ Roses show we thought might turn into a riot when that ass-hat Axl