Research

I’m not a big basketball fan. I like the NCAA tournament. I may watch a game or two of the NBA playoffs/finals, but I don’t follow them. It seems nothing can get our nation to rise up like a common enemy. That enemy was the Miami Heat. My Tweeter exploded last night with all sorts of venom against the Heat, as they were losing to the Mavs. I could only laugh. Because it was a great example of the hypocrisy of so many sports fans. The Heat draws the ire of basically everyone because the top 3 free agents last year decided to play in Miami. The big 3 each took a $10-20MM financial hit in order to win championships. Sure, I see how fans of other teams can feel put out. Especially the fans in Cleveland who ended up holding the bag when LeBron left. But folks in LA? Folks in Boston? Folks in NYC? C’mon, man! How is what those teams do any different than what the Heat did? Except maybe the Heat did a better job – they landed the free agent whales. It seems like Boston fans have managed to forget Danny Ainge betting the ranch to bring in Kevin Garnett and Ray Allen to join Paul Pierce. And they delivered a championship. But that was different, right, Celtics fans? The Knicks signed A’mare and then traded pretty much everything else to get Carmelo Anthony. How is that different, especially after a first round exit in the playoffs? They talk about short cuts and in some of these pro leagues an owner willing to bet the ranch can assemble a very competitive team right now. How about baseball? The Yankees and Red Sox have been doing this forever. The Phillies joined the club this year as well, paying through the nose for Cliff Lee. And would it surprise anyone to see these teams playing in late October? What’s more surprising was last year, when teams like San Francisco and Texas got to play in the World Series. That gets my the point: folks are really pissed merely because their teams couldn’t get those guys. Basically they are jealous and complaining someone else did a better job – hypocrites. Maybe the sorest guy about this whole thing is the dude that owns the Cavs – Dan Gilbert. He was kind enough to tweet about the fact there are no shortcuts, which is a load of crap. There may not be a shortcut directly to winning the championship, but there are certainly shortcuts to make a team very competitive. And if you aren’t competitive, I’m pretty sure you won’t be playing in the championship. Photo credits: “Hypocrisy” originally uploaded by satosphere Incite 4 U On the “budget less” CISO: Raf Los seems to be hell-bent on antagonizing pretty much every CISO out there, advocating a divorce of the CISO from the security budget. The thing is, he’s advocating taking away something that was never really there in the first place. Sure, every company (of scale anyway) has a security budget, but that’s not our money. That’s the money the business has allocated as a cost of doing business. Maybe it’s to meet compliance needs. Maybe it’s to provide a minimum level of security. You can be sure the CFO will be trying to minimize this cost. Raf talks about a very Pragmatic approach to working with the business, in order to get them ultimately to buy into better controls. I have long believed that persuasion is the CISO’s most important skill – you must make the case to protect against an unknown attacker, using an unknown attack, going after data that may or may not be important. – MR ePayment pie: The fight for mobile payment supremacy is in full swing. And why not? Person to person commerce – with every mobile device able to be a point of sale terminal – offers huge potential revenue. The credit card providers love the concept of Square and Mophie Marketplace. It’s a win-win – for the banks anyway. Not only does more money move through the credit card system, but it gets close to removing cash from commerce altogether by making credit and pre-pay cards the de facto currency, with 2-3% transaction fees. Tons of smaller virtual currency providers are popping up to support people who want to pay in different ways, for everything from social networking to porn. You know it’s a big deal when the political lobbyists are going after other forms of virtual currency – like Bitcoin and Live Gamer – positioning their competition as unstable and only for online gaming and buying illegal drugs. Each virtual currency has its ideal application, and each has benefits for security, privacy, anonymity, and/or financial protection. So we will see plenty of FUD as all the players fight for a bigger slice of the revenue. – AL Passwords still suck: No, not the actual concept of passwords. Those are fine, as Adrian points out when pushing password managers. But only if you use them. The LulzSec folks continue to wreak havoc, so we might as well learn something from them. Troy Hunt does a great analysis of the passwords posted as a result of one Sony breach. Lots of pie charts and even a comparison to the file of Gawker passwords posted last year. The results are predictable, and sad. Well, they are sad if you want to improve the world. You can be happy if you are just hoping to not get pwned personally. Given the sheer number of weak passwords out there, if you use something a little less weak, you have a good chance of being over the threshold of what’s worthwhile for the bad guys. And lord knows, they are still all about the path of least resistance. – MR Zero knowledge pulpit: There is absolutely no reason to believe you can’t securely house PCI data in a cloud or virtualized environment. Ellen Messmer’s article questioning

Last week, while teaching the CCSK (cloud security) class, the discussion reached a point I often find myself in these days. We were discussing the risk of cloud computing, and one of the students listed “less control” as a security risk. To be honest, this weaves itself through not only the Guidance but most risk analyses I have seen. And it’s not limited to cloud discussions. One of the places I hear it most often is in reference to mobile computing – especially iOS devices. For example, while hosting an event at RSA earlier this year we had a security pro with over 10 years experience state that they don’t let iPads/iPhones in, but they still use Windows XP. When I asked why they allow a patently out of date and insecure OS, while blocking one of the most secure devices on the market, his response was “we know Windows XP and can control it”. Which, to me, is like saying you are satisfied to pick exactly which window the burglar will come and leave through. More knowledge or control doesn’t necessarily translate into better security. In fact, uncertainty can be a powerful motivator to implement security controls you otherwise neglect due to a misplaced sense of certainty. We all know you are far less likely to crash in a plane than to die in a car accident. Or that your children are far more at risk of drowning or (again) car accidents than of being abducted by a stranger. But we feel in control when driving a car, so we feel safer even though that’s flat-out wrong. You can’t control everything. Not your own systems or employees, no matter where they are located. Design for uncertainty, and you can better adapt to new opportunities or threats, at (I suspect, but can’t prove) the same costs. Not that you shouldn’t maintain some degree of control, but don’t assume control means security. Share:

I love my password manager. It enables me to use stronger passwords, unique passwords for every site, and even rotate passwords on select web services. You know, the sites that involve money. Because I can synch its data among all my computers and mobile devices, I am never without access. I believe this improves the security of my accounts, and as such, I am an advocate of this type of technology. I was encouraged when I saw the article Guard That Password in this Sunday’s New York Times. Educating users on the practical need for strong passwords in a mainstream publication is refreshing. Joe User should know how effective just a couple extra password characters can be for foiling attackers. On the downside, the article looks more like a vendor advertisement – in an attempt to reduce concerns over LastPass’s own security, the author seems to have missed describing the core values of a password manager. First a couple pieces of information that were missing from the article. One of its fundamental mistakes is that most merchants – along with the associated merchant web sites – don’t encrypt your password. On-line service providers don’t really want to store your password at all, they just want to verify your identity when you log in. To do this most sites keep what is called a ‘hash’ of your password – which is a one-way function that conceals your password in a garbled state. Each time you log in, your password is hashed again. If the new hash matches the original hash created when you signed up, you are logged in. This way your password can be matched without the threat of having the passwords reversed through the attacks described by Prof. Stross. Attackers still target these hashed values during data breaches, as they can still get figure out passwords by hashing common password values and seeing if they match any of the stolen hashes. In most cases you directly improve your password security by choosing longer passwords, thereby making them more difficult for an attacker to guess. All bets are off if the owner of a web site you visit does not secure your password. If the merchant stores unencrypted or un-hashed passwords – which is what Sony is being accused of – it requires no work for the attacker. You can’t force a web site owner to secure your password properly, and you can’t audit their security, so don’t trust them. The (generally unstated) concern is that people are bad at remembering passwords, so they use the same ones for eBay, Amazon, and banks. That means anyone who can decrypt or identify your password on a Sony site has a good chance to compromise your account on other (more lucrative) sites. Which brings us to my point for this post: using a password manager frees you from conventional problems, such as your memory. Your security is no longer dependent on how good your memory is. The commercial products all generate random strings with special characters for unguessable passwords. So why should we limit passwords to 10 characters? You no longer need to remember the passwords – the manager does this for you – so think 20 characters. Think 25 characters! And just as important, why limit yourself to one password when you should have a different password for every single site? This reduces the scope of damage if a site is hacked or when a merchant has crappy security. Finally, if you don’t trust the password manager to securely store your password in ‘the cloud’, you can always select a password manager that stores exclusively on your computer or mobile device. Password managers are one of the few times you can get both convenience and security at the same time, so take advantage! Share:

We all have our own truth. Think about it: two people can see exactly the same thing, but remember totally different situations. Remember the last argument you had with your significant other. It happens all the time. You see the world through your own lens, and whatever you believe: that’s your truth. But when someone questions that truth, even the strongest of us may falter. That’s the secret of disinformation, which creates deception and distrust, and can subvert any collective. Two recent data points push me to believe we are seeing a well-orchestrated disinformation campaign against the folks Josh Corman calls chaotic actors. You see, these loosely affiliated collectives of cyber-vigilantes are causing significant damage within the halls of power. And it seems the powers that be are concerned. To be clear, I don’t know anything specific. I’m basically speculating based on the ton of information I consume about security, making a living matching patterns, and a lot of spy novels. When I see a very specific gauntlet laid down by someone within NATO, basically claiming that Anonymous will be infiltrated, it’s interesting. Then I see another story which seems kind of wacky. The Guardian reports that 1 in 4 so-called hackers are actually informants. Gosh, that seems like a lot. To the point of being unbelievable. But combining these two data points gets very interesting. You see, by definition these chaotic actors are geographically dispersed. They communicate via secure(ish) mechanisms that obscure true identities, for obvious reasons. They have some kind of vetting process for folks who want to join their groups. Aaron Barr of HBGary Federal can tell you a bit about what happens when you are caught as an unwanted interloper. But at some point, they have to trust each other in order to put their plans into action. But disinformation breeds distrust. So it makes sense that, lacking any direct means to take down these collectives, a disinformation campaign would be next. Basically NATO has specifically called out Anonymous. The FBI allegedly has thousands of informants at all levels of all the online syndicates. Then throw in the high-profile takedowns of a few botnets recently, the arrest of some Spanish guys allegedly involved with Anonymous, and the reality that the hacker of all hackers, Albert Gonzalez, was an informant – and maybe the story isn’t so unbelievable, is it? So basically the chaotic actors start wondering if the folks they’ve been working with can be trusted. Maybe they are informants. Maybe they’ve already been infiltrated. Maybe the traitor is you. You see, whether the informants actually exist is besides the point. I do believe there are active efforts to penetrate these groups, since a public execution is another aspect of a psychological campaign to breed distrust. But I figure these efforts aren’t going too well. If the informants existed, the powers that be wouldn’t talk, they’d act. No? Am I nuts? Been reading too much Ludlum? Let me know what you think… PS: My old colleague Brian Keefer (@chort0) tweeted some similar thinking on Friday. Unfortunately I was tied up with our CCSK training and couldn’t engage in that discussion. But I wanted to recognize Brian drawing a similar conclusion… Photo credit: “disinformation is king” originally uploaded by ramtops Share:

Our pal Eddie Schwartz was named CSO of RSA earlier this week, presumably with a big role at the mothership (EMC) as well. The Tweeter exploded with congratulations, as well as cautions about the difficulty of the job, given the various shoes that will inevitably continue to drop resulting from the April breach. Believe you me, Lockheed and L-3 are the tip of the iceberg. Also think about Sony, which has been subjected to an ongoing hacker mauling the likes of which we had not seen before. The sad tale is being documented in real time at attrition.org. Crap, they even made owning Sony a verb (sownage). That’s never good. Sony recently named a fellow to fix it, and he faces the same challenge as Eddie. How do you drive consistent awareness and behavioral change to protect information in an organization of tens of thousands of people? You had better have a plan, and not a short-term one. There are no quick fixes for a situation like this. Why can’t Sony and EMC just write a few checks and fix it? Wouldn’t that be nice? But as my stepfather says, “If it’s a problem you can solve with money, it’s not a problem.” Guess what? This is a problem. Shrdlu’s recent missive really illuminates the difficulties in getting everyone to march to exactly the same drum. As she says, it takes a long time (think years, not months) to effect that level of change. As if that were the only issue facing these guys, the situation would be manageable. Sort of. Unfortunately it’s not that simple, because we live in a short-term world and both of them need to play find the turd, – I mean, perform a risk assessment, to understand where the other soft targets reside. Then they need to monitor those resources and watch carefully for signs of attack. Like sharks smelling blood, it won’t take long before the next wave of hungry attackers surround the wagons, as is happening now with Sony. That’s the short term plan. But we all know the short term has a funny way of consuming all the resources, forever. You know, life is a series of short-term fires which need to be dealt with. Long-term plans never mature (and often aren’t even made). This is what separates the organizations which recover from breaches from those which don’t. So the art is to pay attention to the short term without losing sight of long-term goals. Yeah, easier said than done. Sony, RSA/EMC, Epsilon, Lockheed, and all the other organizations showing up in the 24/7 media cycle have a great opportunity to capitalize on their short-term pain to implement long-term structural changes. Will they do it? I have no idea, but we’ll know soon enough by keeping an eye on the front pages. The media is good like that. Share:

Shipping anything is pretty easy nowadays. When someone buys the P-CSO, I head over to the USPS website, fill out a form, and print out a label. If it takes 5 minutes, I need more coffee. Shipping via UPS and FedEx is similarly easy. Go to the website, log in, fill out the form, print out a paper label, tape it to the package, and drop it off. I remember (quite painfully) the days of filling out airbills (in triplicate) and then waiting in line to make sure everything was in order. As many of you know, Rich and Adrian are teaching our CCSK course today and tomorrow. It’s two days of cloud security awesomesauce, including a ton of hands-on work. I did my part (which wasn’t much) by preparing the fancy Securosis-logo USB drives with the virtual images, as well as the instructor kits. I finished that up Sunday night, intending to shippthe package out to San Jose Monday morning. So I get onto FedEx’s site (because it absolutely positively has to be there on Tuesday) and fill out my shipping form. Normally I expect to print the label and be done with it. But now my only option is to have a mobile shipping confirmation sent to me. What the hell is a mobile shipping confirmation? Is there an app for that? I read up on it, and basically they send me a bar code via email that any FedEx location can scan to generate the label right there. Cool. New technology. Bar codes. What could go wrong? I take my trusty iPhone with my shiny barcode email to the local FedEx Office store first thing Monday morning. The guy at the counter does manage my expectations a little bit by telling me they haven’t used the mobile confirmation yet. Oh boy. Basically, FedEx did send a notice to each location, but they clearly did not do any real training about how the service works. The barcode is a URL, not a shipping number. The folks at the store didn’t know that and it took them about 10 minutes to figure it out. It was basically a goat rodeo. The FedEx Office people could not have been nicer, so the awkward experience of them calling a number of other stores, to see if anyone had done it successfully, wasn’t as painful as it could have been. But the real lesson here is what I’ll tactfully refer to as the elegant migration. Maybe think about supporting multiple ways of generating a shipping label next time. At least for a few weeks, while all the stores gain experience with the new service. Perhaps do a couple test runs for all the employees. Why not give folks a chance to be successful, rather than forcing them to be creative to find a solution to a poorly documented new process while a customer is standing there waiting. When we launch something new, basically Rich, Adrian, and I get on the phone and work it out. It’s a little different when you have to train thousands of employees at hundreds of locations on a new service. Maybe FedEx did the proper training. They may have asked folks to RTFM. Maybe the service has been available for months. Maybe I just happened to stumble across the 3 folks out of thousands who hadn’t done it before. But probably not. – Mike Photo credits: “RTFM – Read the F***ing Manual” originally uploaded by Latente Incite 4 U Better close those aaS holes: The winner of the word play award this week is none other than Fred Pinkett of Security Innovation. In his post Application Security in the Cloud – Dealing with aaS holes, Fred does a good job detailing a lot of the issues we’ll deal with. From engineering aaS holes (who aren’t trained to build secure code), to sales aaS holes who sell beyind their cloud’s capabilities, to marketing aaS holes (who avoid good security practices to add new features or shiny objects), to management aaS holes (folks who forget about good systems management practices, figuring it’s someone else’s problem), there are lots of holes we need to address when moving applications to the cloud. Fred’s points are well taken, and to be clear this is a big issue we address a bit in the CCSK curriculum. Folks don’t know what they don’t know yet, which means we’ll be trying to plug aaS holes for the foreseeable future. – MR Payment shuffle: Will interoperability and commerce finally push the adoption of smart cards in the US? Maybe, or at least the card vendors hope they will, with European travelers starting to have troubles with mag stripe cards. It’s not like this hasn’t been tried before. I remember reading about Chip and PIN (CAP) credit cards in 1997. I remember seeing the first US “Smart Card” advertised – I think by Citi – as a security advantage to consumers in 1999. That didn’t go over too well. Consumers don’t much care about security, but you already knew that. Europe adopted the technology a decade ago, but we have heard nothing in the US consumer market since. Why? Because we have PCI, which is the panacea for everything. Haven’t you heard that? Why improve security when you can pass the buck. Yup, it’s the American way. – AL Closing the window: Last night RSA released a new letter to their customers about their breach, and the attack on Lockheed and other defense contractors. Lockheed confirmed in a New York Times article that information stolen from RSA was used to attack them. Fortunately Lockheed managed to stop the attack. If I wasn’t out in California to teach the CCSK class this week I’d probably write a more detailed post because it’s definitely a big deal. There is now no doubt that customer seeds were stolen. And whoever stole them (IPs linked back to China) used the seeds to attack at least three major defense contractors simultaneously, less

I clearly remember being a kid and scared there was a monster in my closet. I was pretty young, and all it took was my Mom wrapping a can of Right Guard in a “Monster Spray” label to allay my fears. My kids tend to get scared by stuff they can’t see as well, and movies like Monsters, Inc. haven’t done much to dispel the fear in today’s generation. When I went to sleepover camp, there were the stories of Cropsey to terrorize new campers, and the chain goes on and on. We continue to be scared by the stuff we don’t understand. It looks like the cloud falls into the same boat, as shown by the latest survey by Kelton Research sponsored by Avanade. No, I hadn’t heard of either of these shops either. But all the same, 25% say they’ve had a security breach with a cloud service and 20% are moving back to traditional on-premise apps. There, my friends, is the bogeyman, in full effect. Since we built the CCSK curriculum, your friends at Securosis have become immersed in many things relating to securing cloud infrastructure. In fact, Rich and Adrian will be teaching the course this week in San Jose to a packed house. We are also training the first set of instructors for the course, so expect to see it offered near you very soon. Which is a great thing, given our collective fear of the unknown. So here is the dark little secret of cloud security. It’s different, but not that different from securing your traditional environment. The reality is that most folks suck at security, and moving applications & infrastructure to the cloud is not going miraculously make them any better at it. If you are good at security on-premise, you’ll likely be pretty good when you move stuff to the cloud. That doesn’t mean you will automagically understand how all the pieces fit together, but the fundamentals are largely the same. There really are additional moving pieces, of course, and depending on where in the SPI stack you stake your cloud tent, you’ll need to think about more heavily instrumenting your applications for security and logging/monitoring. Identity changes a bit as well. And never forget that the entire environment (especially private cloud) remains immature and overly complicated. But since FUD (especially the Fear) is such a powerful motivator for buying security widgets you may or may not need, we’ll see lots of questions about how secure the cloud is. We’ll see plenty of Chicken Little behavior to convince you the cloud is not safe – unless you use this cloud security widget, of course. But – just as I tell my kids– if you are scared of something you need to understand it. It very well may warrant fear or terror. But until you understand what you are talking about your fear is not justified. So get educated on cloud stuff. Go take the course. Ask questions, focus on educating yourself and your organization, and then figure out how and how much cloud computing makes sense for you. Just don’t give into the fear of the unknown that will plague this technology for the next few years. It’s not that scary. Promise. Photo credit: “bogeymen everywhere 1” originally uploaded by Voyager10 Share:

Speaking as someone who had to wipe several computers and reinstall the operating system because the Sony/BMG rootkit disabled the DVD drive, I need to say I am deriving some satisfaction from this: Lulzsec has hit Sony. Again. For like the, what, 10th incident in the last couple months? I’m not an anarchist and I am not cool with the vast majority of espionage, credit card fraud, hacking, and defacement that goes on. I pretty consistently come down on the other side of the fence on all that stuff. In fact I spend most of my time trying to teach people how to protect themselves from those intrusions. But just this once – and I am not too proud to admit it – I have this total case of schadenfreude going. And not just because Sony intentionally wrote and distributed malware to their customers – it’s for all the bad business practices they have engaged in. Like trying to stop the secondary market from reselling video games. It’s for spending huge amounts of engineering efforts to discourage customers from customizing PlayStations. It’s for watermarking that deteriorated video and audio quality. It’s for the CD: not the CD medium co-developed with Phillips, but telling us it sounded better than anything else. It’s for telling us Trinitron was better – and charging more for it – when it offered inferior picture quality. It’s for deteriorating the quality of their products while pushing prices higher. It’s for trying to make ‘ripping’ illegal. Sony has been fabulously successful financially, not by striving to make customers happy, but by identifying lucrative markets and owning them in a monopoly or bust model – think Betamax, Blu-ray, PlayStation, Walkman, etc. So while it may sound harsh, I find it incredibly ironic that a company which tries to control its customer experience to the nth degree has completely lost control of its own systems. It’s wrong, I know, but it’s making me chuckle every time I hear of another breach. Before I forget: Rich and I will be in San Jose all next week for the Cloud Security Alliance Certification course. Things are pretty hectic but I am sure we could meet up at least one night while we are there. Ping us if you are interested! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on Lockheed breach. Adrian’s Dark Reading post. Favorite Securosis Posts Mike Rothman: Understanding and Selecting a File Activity Monitoring Solution. Interesting new technology that you need to understand. Read it. Rich: Cloud Security Training: June 8-9 in San Jose. Adrian Lane: A Different Take on the Defense Contractor/RSA Breach Miasma. Other Securosis Posts Incite 6/1/2011: Cherries vs. M&Ms. Tokenization vs. Encryption: Options for Compliance. Friday Summary: May 27, 2011. Favorite Outside Posts Adrian Lane: Botnet Suspect Sought Job at Google. I can only imagine the look on Dmitri’s face when he saw this – innocent or not. Mike Rothman: BoA data leak destroys trust. But at what scale? Are customers rushing for the door because their bank was breached? Since there are no numbers people just assume they do. As a contrarian, that’s a bad assumption. Rich Mogull: Clouds, WAFs, Messaging Buses and API Security… Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. Research Reports and Presentations Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. Top News and Posts ElcomSoft Breaks iOS 4 Encryption. An Anatomy of a Boy in the Browser Attack. Usually, stay away from vendor blogs, but Imperva has had some good posts lately. Lulzsec has hit Sony. Again. For the, what, 5th10th breach in the last couple months? PBS Totally Hosed by Lulzsec. They got just about every single database. Ouch. Where do they find the time to post funny Tupac articles? Apple Malware Patch Defeated And by the time you read this there will probably be a new patch for the old patch. Apple Malware Patch. Android Users Get Malware. It’s a feature. Gmail Users Compromised. No favorite comment this week. Share:

I have been debating writing anything on the spate of publicly reported defense contractor breaches. It’s always risky to talk about breaches when you don’t have any direct knowledge about what’s going on. And, to be honest, unless your job is reporting the news it smells a bit like chasing a hearse. But I have been reading the stories, and even talking to some reporters (to give them background info – not pretending I have direct knowledge). The more I read, and the more I research, the more I think the generally accepted take on the story is a little off. The storyline appears to be that RSA was breached, seed tokens for SecurID likely lost, and those were successfully used to attack three major defense contractors. Also, the generic term “hackers” is used instead of directly naming any particular attacker. I read the situation somewhat differently: I do believe RSA was breached and seeds lost, which could allow that attacker to compromise SecurID if they also know the customer, serial number of the token, PIN, username, and time sync of the server. Hard, but not impossible. This is based on the information RSA has released to their customers (the public pieces – again, I don’t have access to NDA info). In the initial release RSA stated this was an APT attack. Some people believe that simply means the attacker was sophisticated, but the stricter definition refers to one particular country. I believe Art Coviello was using the strict definition of APT, as that’s the definition used by the defense and intelligence industries which constitute a large part of RSA’s customer base. By all reports, SecurIDs were involved in the defense contractor attacks, but Lockheed in particular stated the attack wasn’t successful and no information was lost. If we tie this back to RSA’s advice to customers (update PINs, monitor SecurID logs for specific activity, and watch for phishing) it is entirely reasonable to surmise that Lockheed detected the attack and stopped it before it got far, or even anywhere at all. Several pieces need to come together to compromise SecurID, even if you have the customer seeds. The reports of remote access being cut off seem accurate, and are consistent with detecting an attack and shutting down that vector. I’d do the same thing – if I saw a concerted attack against my remote access by a sophisticated attacker I would immediately shut it down until I could eliminate that as a possible entry point. Only the party which breached RSA could initiate these attacks. Countries aren’t in the habits of sharing that kind of intel with random hackers, criminals, or even allies. These breach disclosures have a political component, especially in combination with Google revealing that they stopped additional attacks emanating from China. These cyberattacks are a complex geopolitical issue we have discussed before. The US administration just released an international strategy for cybersecurity. I don’t think these breaches would have been public 3 years ago, and we can’t ignore the political side when reading the reports. Billions – many billions – are in play. In summary: I do believe SecurID is involved, I don’t think the attacks were successful, and it’s only prudent to yank remote access and swap out tokens. Politics are also heavily in play and the US government is deeply involved, which affects everything we are hearing, from everybody. If you are an RSA customer you need to ask yourself whether you are a target for international espionage. All SecurID customers should change out PINs, inform employees to never give out information about their tokens, and start looking hard at logs. If you think you’re on the target list, look harder. And call your RSA rep. But the macro point to me is whether we just crossed a line. As I wrote a couple months ago, I believe security is a self-correcting system. We are never too secure because that’s more friction than people will accept. But we are never too insecure (for long at least) because society stops functioning. If we look at these incidents in the context of the recent Mac Defender hype, financial attacks, and Anonymous/Lulz events, it’s time to ask whether the pain is exceeding our thresholds. I don’t know the answer, and I don’t think any of us can fully predict either the timing or what happens next. But I can promise you that it doesn’t translate directly into increased security budgets and freedom for us security folks to do whatever we want. Life is never so simple. Share:

I am pleased to announce our Database Activity Monitoring: Software vs. Appliance Tradeoffs research paper. I have been writing about Database Activity Monitoring for a long time, but only been within the last couple years have we seen strong adoption of the technology. While it’s not new to me, it is to most customers! I get many questions about basic setup and administration, and how to go about performing a proof of concept comparison of different technologies. Since wrapping up this research paper a couple weeks ago, I have been told by two separate firms that, “Vendor A says they don’t require agents for their Database Activity Monitoring platform, so we are leaning that way, but we would like your input on these solutions.” Another potential customer wanted to understand how blocking is performed without an in-line proxy. These are exactly the reasons I believe this paper is important, so I’m glad this is clearly the right time to examine the deployment tradeoffs. And yes, these questions are answered in section 4 under Data Collection, along with other common questions. I want to offer a special thanks to Application Security Inc. for sponsoring this research project. Sponsorship like this allows us to publish our research to the public – free of charge. When we first discussed their backing this paper, we discovered we had many similar experiences over the last 5 years, and I think they wanted to sponsor this paper as much as I wanted to write it. I hope you find the information useful! Download the paper here (PDF). Share: