Research

I know we all have compliance fatigue. Some worse than others, but we all rue the day security became more about compliance and getting the rubber stamp than actually protecting something. The pragmatist in me continues to accept our lot in life and try to be somewhat optimistic about it. But at the end of the day, we (as an industry) pretty much suck at protecting things, and there are no real catalysts to change that. Out the other side of my mouth, I can talk about how compliance (PCI specifically) has added a low bar to the practice of security. And in the absence of that (admittedly) low bar, lord knows what the situation would be. But that’s not the point. It’s about making sure organizations consistently do the right thing. And that customers know that’s the case. I’m intrigued by a concept put forth by Lenny Zeltser, talking about a Letter Grade for Information Security. The idea is modeled after how NYC inspects their restaurants. Basically folks who get the highest grade only get assessed annually. Those sucking need to be assessed more often. Best of all, they all need to post their grades in public where their customers can see them. Can you imagine if a big retailer failed an assessment and had to post on their high-traffic website that they had issues? Kind of like making them wear the proverbial Scarlet Letter. That would be cool, and would also create a real disincentive to screw up an assessment. And maybe that would be the catalyst to start doing security right. Of course, this assumes a bunch of things: The bar is high enough: We consider PCI the bar, mostly because it’s the most detailed. But we need to figure out how much security is enough. And what set of guidelines best reflect that level – which is likely to change based on the organization’s size and transaction volume. A set of objective ratings: What is a “C” when evaluating a restaurant? No rats feasting in the pantry? I’m sure there is a long checklist and associated rating system. As Lenny points out, right now PCI is binary – you either pass or fail. I don’t suggest a FISMA style rating scale – that works so well – but we do need some means of measuring success and providing a grade. The assessment isn’t a joke: We’ve all heard about the unholy alliances between QSAs, their firms which provide all sorts of other services, and customers. Feels a lot like the old days when a public audit firm sold a crapload of consulting to customers they audited. Amazingly enough, the late Arthur Andersen gave firms like Enron a thumbs-up because they’d lose out on millions of other billings if they didn’t. Today a QSA is not prohibited from selling other products/services to company they assess. We need true objectivity for this to work. Mass market coverage: Assessing Tier 1 and even Tier 2 merchants is a no-brainer. There are thousands of Tier 3 and millions of Tier 4. How do you address the mass market? Self-assessment? See the previous bullet about the assessment being a joke. But much of today’s fraud targets these small fry (as the big folks get incrementally better at protecting themselves), this large swath of territory must be factored in. Truth in Advertising: What happens when someone fails a PCI assessment? They argue about it, which pushes back the date when their situation would cost them money? In Lenny’s example, NYC makes them post either the current grade or a sign saying grade is pending. That’s kind of interesting. We need to make sure companies come clean about porous data protection policies. Kind of like an extension of today’s disclosure laws. So customers are notified when organizations holding their personal information fail an assessment, whether there is data loss or not. Oversight with teeth: When did separation of duties take off? Basically when Sarbanes-Oxley made it clear a senior exec would go to jail if they screwed it up. We need similar oversight for security. Yes, this would be need to be legislated, and I’m fully aware of the ramifications. But how else can you create enough urgency to get something going? Or we could just continue on with the status quo. Since that’s so great. I’m not saying any of this is practical, and it’s kind of half-baked on my part. But parts of it may be workable. Like Lenny, I understand that this discussion brings up more questions than answers. But I am (like you) pretty frustrated some days about what we call success in security nowadays. And thanks to Lenny Z for once again providing great food for thought. Photo credit: “Hester Prynne” originally uploaded by Bill H-D Share:

Oracle purchased Secerno 14 months ago. It was advertised as a database firewall to block malicious queries and certain types of attacks. What they have presented looks like a plausible method of protecting databases once an attack is known but before the patch is applied. And as we know many Oracle shops don’t apply security (or any) patches on a quarterly basis. They may patch on a yearly basis. Secerno looks like a temporary fix to help these companies. Last week Oracle released a new Critical Patch Update for July 2011. At least one of the defects it addresses is a remote exploit that allows an attacker to take over the secure backup facility without credentials, and another allows for a complete compromise of JRockit middleware – a serious problem. Both rank ‘10’ on Oracle’s badness meter. In case that wasn’t enough, the CPU also patches couple core remotely exploitable (although admittedly difficult to hit) RDBMS issues. So I strongly suggest you patch your databases ASAP. But that’s not the reason for this post. I’m concerned because I see no indication Secerno has distributed attack signatures for this Oracle CPU to its users. For remote exploits I would expect these to be published, but I have not found them. So my question is this: Are any Secerno users using the product to block the current threats? Have you received updated signatures to address the CPU patches? If so, please shoot me an email (it’s alane at Securosis with the dot com at the end). I’d like to know how this is working for you. If you are using any DAM products for blocking, I welcome your input. Share:

I usually agree with Jack Daniel. You know, we curmudgeons need to stick together. But one of the requirements of membership in the Curmudgeons Association is to call crap when we see it. And much as it pains me to say it, Jack’s latest rant on InfoSec’s misunderstanding of business is crap. Actually his conclusion is right on the money: In order to improve security in your organization, you need to understand how your organization works, not how it should work. [emphasis mine] I couldn’t agree more. The problem is how Jack reaches that conclusion. Basically by saying that understanding business is a waste of time. Instead, he suggests you understand greed and fear, then you’ll understand the motivations of the decision makers, and then you’ll be able to do your job. Right? Not so much. Mostly because I don’t understand how anyone understands how things get done in their organization without both understanding the business and also understanding the people. In my experience, you can’t separate the two. No way, no how. I totally agree that everyone (except maybe a monk) is driven by greed and fear. Sometimes those aspects are driven by the business. Maybe they want to make the quarter (and keep their BMW) or perhaps they need to move a key business process to the cloud to reduce headcount. Those are all motivations to do security, or not. How can you understand how to sell a project internally if you don’t understand what’s going on in the business? Your decisions makers may also have some personal issues that color their decisions. Could be an expensive divorce. Could be a sick parent. It could be anything, but any of those factors could get in the way of your project. Ignore the people aspect of the job at your own risk – which is really my point. A senior security position is not a technical job. It’s a job of persuasion. It’s a job of sales. And both those disciplines require a full understanding of all the factors that can work for or against you. One of the key trends I saw a few years ago involved senior security folks coming from the business, not from the ranks of the security team. These folks were basically tasked to fix security, which meant they had to know how to get things done in the organization. These folks could just as well be dealing with operational problems in Latin America as with cyberattacks. To Jack’s point, they do understand greed and fear. They may have pictures of senior execs in a vault somewhere, and then inexplicably get the funding they need for key projects. And they also understand the business. Share:

I talk a lot on Twitter about my password manager. I use 1Password and love it. It auto-generates random passwords for me of any length I choose, auto-fills web forms for me, and remembers both the web page and the hideously complex password I have chosen. It automatically synchronizes across all my computers so I am never without all my current passwords. The file is encrypted with AES-128 and they handle encryption keys securely, so I believe the product is pretty secure. Now, rather than having a couple good passwords for the handful of sites I care about – and a single generic password for the 300 sites I don’t – every single one of my web accounts has its own strong password. Or I should say as strong a password as each site allows. I always worried about having the application crash and losing every single one of my passwords. Irrational fear. I back it up like any other application. In hindsight I can’t figure out what took me so long to change over. Another irrational aspect of passwords dawned on me today: we automate password administration and enforcement, but require users perform a manual process. Why? There are some basic problems with people and passwords: We don’t want random passwords – too hard to remember. We don’t want to choose long passwords – too hard to remember. We don’t like typing long passwords. Frankly they are a pain in the ass to type in, and a triple pain in the ass if you mistype the first attempt. We don’t want to rotate passwords – it means I have to learn three of four long passwords just for work. We hate calling IT to reset passwords – because that takes more time out of our day. And the guy in IT treats us like dorks every time we call. Ultimately this is all because we suck at remembering passwords. Worse, we don’t care about the passwords – they are a necessary evil. Passwords are something we have to do. So why not automate the whole mess – especially for corporate IT users? Today we centralize password policies and automate enforcement of those policies (length, character requirements, expiration, etc.). There is no reason we can’t automate the client side as well, but enterprise password managers are rare as hen’s teeth. For corporate environments we could even embed advanced capabilities with virtual RSA tokens, access tokens for shared services without shared credentials, or even SAML capabilities. And we could allow each user to maintain individual passwords, with separate password repositories in case a single user account is compromised. I acknowledge that it’s conjecture on my part, but I am willing to bet that automation will reduce user error and ultimately IT’s password management burden. I am not aware of a password management product that can fully support enterprises today – but several are not far off. I think it’s time we see more password managers in corporate environments Share:

I imagine with this heat wave covering most the country you’re likely on your way to the beach – or at least some place better than work. So with me traveling, Mike suffering through physical therapy, and Rich spending time with the family, this week’s summary will be a short one. A friend sent me this video earlier in the week – I don’t know if you have seen these before, but if not take some time to look at this video on 3-D printer technology. It’s just one of the coolest things I have seen in years. I originally got interested in this a year or so ago when learning about some of the interesting stuff you can do with Arduino and I remain fascinated. Feed in a CAD design – even with non-connected moving parts – and it will literally print a physical object. If you notice, the printer in the video uses HP bubblejet printer cartridges – but filled with the resin hardener rather than ink. The technology is simple enough that you could literally build one at home. And pretty much anyone with basic CAD capability can design something and have it created instantly. As 3D printers evolve, so that they support other materials beyond plastic, And these designed can be shared – just like open source software – only in this case it’s open source hardware. What I find just as interesting is that people keep sending me links to the video, expressing their hopes and visions of the future. When teachers send me the link they talk about using these types of technologies to encourage student interest in technology. When I talk to car enthusiasts, they talk about sharing CAD models of hard-to-find car parts and simply re-fabricating door handles for a 1932 Buick. Star Trek nerds fans talk about the realization of the replicator. When I talk to friends with a political bent who are frustrated that everything is made in China, I hear that this is a disruptive technology that could make America a manufacturing center again. That is more or less the take behind the Forbes video on 3-D printers. Whatever – check out the video. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted by The Register in: Major overhaul makes OS X Lion king of security Favorite Securosis Posts David Mortman: Donate Your Bone Marrow. You could save a life. Do it now. Mike Rothman: Friction and Security. Wouldn’t it be great if we had KY Jelly for making everyone in IT work better together? Adrian Lane: Rise of the Security Monkeys. Only because I have a Monkey Shrine. Seriously. It’s a long story. Other Securosis Posts Incite 7/19/2011: The Case of the Disappearing Letters. Mitigating Software Vulnerabilities. Friday Summary: July 14, 2011. Favorite Outside Posts Mike Rothman: Howard Stern questions Citrix marketing strategy. You have no idea what my first thought was when I saw this headline. Though Stern knows a bit about marketing on the radio. Just goes to show how marketing technology has changed over the years. David Mortman: Phone hacking, technology and policy. Adrian Lane: Security Tips for Non-Techies. Dealing with non-technies on security issues more than I like, I feel your pain. Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. NSO Quant: Manage Metrics–Signature Management. NSO Quant: Manage Metrics–Document Policies & Rules. NSO Quant: Manage Metrics–Define/Update Policies and Rules. NSO Quant: Manage Metrics–Policy Review. Research Reports and Presentations Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Top News and Posts Using data to protect people from malware Comcast Hijacks Firefox Homepage: “We’ll Fix” Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More Microsoft Finds Vulnerabilities in Picasa and Facebook How a State Dept. contractor funneled $52 million to secret family Anti-Sec is not a cause, it’s an excuse. Azeri Banks Corner Fake AV, Pharma Market via Krebs. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Betsy, in response to Donate Your Bone Marrow. As a recent transplant recipient with three close friends also recipients plus a best friend recently diagnosed with leukemia, your post is spot on. Signing up to be a donor is trivially simple and, as you say, a direct path to saving or vastly improving lives. Visit organdonor.gov for a good source of information on how to donate. Thanks for your post. Share:

The Freakonomics blog assembled an interesting quorum on security. Industry heavyweights like Schneier weighed in on the following question: Why has there been such a spike in hacking recently? Or is it merely a function of us playing closer attention and of institutions being more open about reporting security breaches? Aside from Bruce there were opinions from folks at Imperva, IronKey, Aite Group, and BAE Systems – most of it decent. Some contradictory points, but get a bunch of folks to weigh in and that’s bound to happen. In something targeted to a mass market readership, some of these folks threw in the APT and PCI terminology. Seriously. Which really underscored to me how most security folks have no fracking clue on how to talk to a non-security audience. But that’s a story for another day. Since I wasn’t invited into the quorum (sad panda), I figured I’d rant a bit on the question. So if they kind folks at Freakonomics invited me to participate (hint, hint), here’s what I’d say. In general I have to agree with Bruce Schneier. There hasn’t been a huge spike in hacking. Sure, the number of data breaches is up, but the number of stolen identities is way down. The real change is the increased reporting on hacking. That’s right – security has finally come into your living room. And it’s a scary place for most folks. For instance, a few months back the Anonymous hacker collective broke into the website of Westboro Baptist Church – on live TV. Unless you’ve been to the Black Hat conference or a similar technical forum, you probably haven’t seen a lot of computer attacks happen live. That was cool. It was newsworthy. So the media picked up on this hacking stuff. Combined with the disclosure of previously off-limits information on sites like WikiLeaks and Pastebin, now you have real news. When the contact information of undercover Arizona police officers is posted on the Internet, or the tactics of The News of the World come to light, it’s going to make news. And it has. We do have more visible attacks as well. When hackers take down Sony’s PlayStation Network for weeks, that’s newsworthy. Steal some plans for the Joint Strike Fighter, which happened a few years ago, and it barely makes news. Take down a multi-player game and all hell breaks loose. This is the world we live in. We can talk about the increasing sophistication of the hackers (as a number of them did), but that’s crap. Most of these attacks have not been sophisticated at all. We can also talk about the laws requiring data breach disclosure, but that’s also crap. Disclosures have been happening for years, and this mainstreaming of hacking is much more recent. Compounding the issue is the real-time media cycle. Driven by anyone with a computer Tweeting whatever they want, and dimwit media outlets running with it without proper fact checking (or, often, even understanding what they’re saying), and you have a perfect way to game the system. We see it every day with the NFL labor negotiations. Some player – perhaps clued in but just as likely not – tweets something, and everyone thinks it’s gospel. Within seconds it’s broadcast on ESPN and NFL Network. It’s on TV so it must be right, right? It’s not gospel. It’s not anything besides what’s always been happening. Now it’s in plain sight, and that’s uncomfortable for most folks. Especially the ones who find their corporate and personal secrets on public web sites. Share:

Something didn’t add up. We got a call from the girl’s camp literally 3 days after they got there saying XX2 needed more stationery. We hoped this meant she was a prolific writer, and we’d be getting a couple updates a week. Almost 3 weeks later, we got 1 postcard. That’s it. A few of her friends got letters, but not nearly enough to have depleted her stash of letters/postcards. And the longer we went without a letter, the more ornery The Boss got. Mostly because she spent a bunch of time buying, stamping, addressing, and return labeling the additional letters. So to not get any mail was really adding insult to injury. Luckily we were going to see the girls on Visiting Day, so we’d get to the bottom of the situation. Maybe there were mail gremlins in the Post Office, getting their kicks by reading (almost) 8 year old chicken scratch. Maybe the small-town post office was just overwhelmed. Or maybe XX2 had screwed up a bunch of letters and just thrown them out, as opposed to trying to fix them. It could be anything, and we were determined to get to the bottom of it. When we got to the camp, we spent a few minutes with XX1, including meeting her counselors and seeing her bunk. It’s far from roughing it, but they still get a somewhat rustic experience. Then we made our way over the XX2’s bunk to do a similar assessment. With me as the bull in a china shop, I (of course) just blurted out what I know The Boss was thinking. “I’m so happy you are having a great time at camp, but what the hell? Who did you write to with all your stationary? It certainly wasn’t us!” XX2 looked very confused. She reiterated that she did write letters, and she wrote 3-4 to us. It looked like it might be a job for the late Columbo, who could solve this posthumously. Then we asked the key question: “When did you mail the letters?” She again looked at us quizzically. That’s when all the pieces fit together. “I need to mail one letter every three days to get into dinner. So I give them one letter.” Looks like we found the smoking gun. I then asked XX2 to show us her stationary box, and sure enough there were 6 letters and 3 postcards ready to go. I forget she is not even 8 years old yet. She took the instructions literally. She needed one letter to fulfill the requirement, and didn’t realize she could mail more than one letter at a time, or even on an off day. We got the characteristic, “oh well” shrug from her and then we all just busted out laughing. To be clear, I’m not sure we’d do anything different next time. I refuse to be one of those crazy, guilt-slinging parents who browbeat their kids about writing. If they aren’t writing, odds are they are having fun. And we may even save a few bucks in postage. That’s a win-win in my book. -Mike Photo credits: “Nobody Loves Me” originally uploaded by Robert Hruzek Incite 4 U The next wave of consumer security: Following (and participating in) the SIEM space, one of the biggest jokes was fraud detection. You know, you’d set your SIEM to look at transaction records and it would find fraud. It’s just data, right? Fraud is just another pattern, right? Not so much, but it’s still a magic chart requirement to have a solution in this space, even though the financial folks use purpose-built offerings to do it for real. But that doesn’t mean that reputation and pattern matching for fraud detection has no place in security. Actually, it does, and with a tip of the hat to Fred Wilson, I can point you to a new service called BillGuard that monitors your credit card transaction streams and can alert you to things that might be funky. Remember, consumers don’t care about security for its own sake. But they care about losing money to fraud and other nuisances, and this kind of offering should just kill it. Disclaimer: I haven’t used BillGuard, nor have I checked out their security. But the idea is right on the (proverbial) money. – MR Agile is the word: Uh-oh. The US Government is taking cyber-security lessons from businesses. Are things that bad? Actually, while the title of this post filled me with visions of Sony and other enterprises, the actual document is worth review. The government is effectively advocating an Agile process – its basic tenets read more like secure code development ideals than as network deployment. Most security experts urge building security into the products we deploy rather than bolting it on afterwards. And this encourages working with smaller (read: more innovative) security technology providers. Their guidance is a good fit with our own enterprise guidance. – AL A sign of the times: About a hundred years ago, I co-founded a company focused on driving broader adoption of PKI. We focused on application integration to add capabilities such as encryption and digital signatures. But it never took off, mostly because no one was willing to trade inconvenience for security. By the way, not much has changed. If security works, it’s behind the scenes, embedded within the user experience so users don’t need to know about it. Adobe is clearly going taking another run at digital signatures with their EchoSign buy. I’m not sure the outcome will be different this time around. EchoSign got some lift because it wasn’t about technology – it was about a seamless business process to eliminate paper from contract signing. We’ll see if Adobe learns from that, or just tries to add another option to the product – you know how the latter scenario ends. – MR Skype pwnage: It will likely be patched by the time you read this, but there is a cross site scripting vulnerability with Skype. In

As far back as I can remember, I have been a fan of testing your defenses. Some people call it pen testing, others refer to it as an assurance process, but the point is the same either way. The bad folks test your defenses every day, and if you aren’t using the same tactics to find out what they can get, you’re going to have a bad day. Maybe not today, maybe not even tomorrow. But the clock is ticking. Truly understanding your security posture gets even harder when you start thinking about the cloud and the complexities of architecting a totally new infrastructure. We have a zillion dollars worth of systems management installed to monitor and manage our data centers, although I reserve judgment on how suck-tastic that investment has been. Now that we are moving many things to the cloud (whatever that means), it’s time to revisit how we test our infrastructure. The existing systems management (and security) vendors are falling all over themselves to position their existing products as appropriate for managing cloud operations, but most of their solutions are heavy on slide decks and virtual appliances (same stuff, different wrapper), and lighter on the actual management technology. In fairness, it’s still early, so we shouldn’t totally count out the systems management incumbents, right? I mean, those are some innovative organizations, [sarcasm]no?[/sarcasm] Yet, this cloud thing will force us to totally rethink how we run operations, and thus how we test our environments. The good news is that many of the cloud services leaders are more than happy to share what they are doing, so you can learn what works and what doesn’t, avoiding the school of hard knocks. I mean, when before has a company basically shared its data center architecture? Thanks, Facebook. And now NetFlix is sharing some of their management approaches. Netflix’s concept is to use a Simian Army (not literal monkeys, but automated testing processes) to put their infrastructure through the ringer. To see where it breaks. To pinpoint performance issues. And to do it continuously, on an ongoing basis. They even have a chaos gorilla, which takes entire availability zones out of play, so they can see how their infrastructure reacts. The same discipline applies to security. You need to build a set of hacking simians to try to break your stuff. No, it won’t be easy, and you’ll need to do a lot of manual scripting and integration to build a security monkey. Although there are some offerings (like Core’s new Insight product), focused on running continuous testing processes, it’s still early in this market. So you’ll need to do a lot of the work. But the alternative is having your dirty undergarments posted on pastebin. But don’t forget my standard caveat: when you test using live ammo, be careful! Given the economics of cloudy things, you should have a test environment that looks an awful lot like your production environment. And let the monkeys loose on your test environment early and often. But some of these monkeys can/should be used on the production stuff. Although you can make the test environment look the same, it’s not. We learn that hard lesson over and over again. In the post, Netflix talks about shutting down production instances (with a lot of oversight, obviously), just to see what happens. They reminds me a bit of the kanban process in manufacturing, in that you mess with the working system to find the breaking points, to see where you can make it more efficient. The assumption that everything is working fine has never held water. The question is whether you search for what’s broken, or wait for it to find you. But most of all, I love both the metaphor and the message of Netflix’s approach. These guys test their stuff, so when half of Amazon AWS goes down they stay up. Obviously this isn’t a panacea (as their recent outage showed), but clearly there is something going on over at Netflix. So jump on the monkey bandwagon – they are taking over the world anyway. Share:

Matt Miller, Tim Burrell, and Michael Howard from the Microsoft Security Engineering Center published a paper last week on Mitigating Software vulnerabilities. In a nutshell, they advocate a set of tactics that limit – or outright block – known and emerging attack techniques. Rather than play catch-up and patch the threat du jour, they outline use cases for the technologies that Microsoft employs within their own products to make it much harder to compromise code with canned attacks. Over the past decade, Microsoft has developed a variety of exploit mitigation technologies that are designed to make it more difficult for attackers to exploit software vulnerabilities such as buffer overruns. This section enumerates each of the mitigation technologies currently available, and provides answers for common questions that relate to how each technology works, how effective they are, and any important performance or compatibility considerations. Three basic recommended tactics are: Generic detection of a hacker’s attempt to subvert a system though exception handler overwrites or running code from within data segments. Randomizing code or configurations to breaks canned attacks Employ simple security ‘speed bumps’ that require a little bit of insider knowledge which is difficult for an attacker to acquire. Two things I like about the paper: First, the tactics approach exploitation protection from a developer’s prospective. This is not a third-party tool or analyzer or bolt-on protection. These tools and complier options are in the context of the development environment, and offer protections a developer has some degree of control over. The more involved the developer is in the security precautions in (or for) their code, the more likely they are to think about how they can protect it. Second, this mindset assumes that code will be under attack and looks for ways to make it more difficult to subvert – rather than desperately hoping the newest mitigation can stop a determined attacker permanently. Understanding that small variations can cause huge headaches for attackers and malware developers is a fundamental insight for defensive development. While this paper is recommended reading for developers, bring a big cup of coffee. The documents are only about 10 pages, but the terminology is a bit obtuse. For example, “artificial diversity” and “knowledge deficits” are accurate but unfamiliar terms. I am pretty sure there is a better way to say “new invariants”. Still, esoteric vocabulary seems to be this paper’s main vice – slight criticism indeed. Educating developers on a simple set of tactics – built into their development tools – is powerful. The key insight is that you can take away the easy (known) pathways in and out of your code, and make it very expensive for an attacker to break your application. It is just as important to give yourself more time to detect iterative attacks in progress. The paper is well worth your time. Share:

I’m going to keep this short. Dave Lewis (@gattaca)’s wife was diagnosed with leukemia yesterday. Dave is one of our Contributing Analysts and a hell of a great guy, and while I haven’t met her, everyone says his wife is even better (seems to be a common trend). James Arlen (@myrcurial) posted with details over at Liquidmatrix. You may not know this, but Dave’s wife is the second person in our security community suffering from a blood-related disease (the other being Barkode, a fellow Defcon goon). If you aren’t signed up as a bone marrow donor, do it now. Only 1 in about 540 people in the registry are ever matched, so they need massive numbers. A lot of people used to tell me how cool it was that I was “saving lives” when I was working fire/rescue/ambulance. Donating your bone marrow is a far more effective and direct way to save someone. I’m not sure I actually saved too many lives in those days, but I do know that if I’m a match the odds are damn high someone will live who nature tried to take out. Do it. Now. Share: