Research

Sopra Group, through its Axway subsidiary, has acquired Tumbleweed Communications for $143 million. The press release is here. With Tumbleweed’s offerings for email security, secure file transport, and certificate validation, there were just not enough tools in that chest to build a compelling story- either for messaging security or secure transaction processing. And it provides just one more example of why Rothman is right on target. Given that Tumbleweed’s stock price has been flat for the entirety of this decade, this is probably both a welcome change of scenery from the stockholders’ perspective, and a sign of new vision on how best to utilize these technology elements. There are lots of fine email/content security products out there having a very difficult time of expanding their revenue and market share. Without some of the other pieces that most of their competitors have, I am frankly impressed that Tumbleweed has made it this far. Dropping this product line into the Axway suite makes sense as it will add value to most of their solutions, from retail to healthcare, so this looks like a positive outcome. Share:

From the “I really don’t get it” files: First I read that Google’s new Chrome browser & Internet Explorer modifications are threats to existing advertising models. And this is news? I have been using Firefox with NoScript and other add-ons in a VMWare partition that gets destroyed after use for a couple years now. Is there a difference? What’s more, there is an interesting parallel in that both are cleansing browsing history and not allowing certain cookie types, but rather than dub these ‘privacy advancements’, they are being negatively marketed as ‘porn mode’. What’s up with that? Perhaps I should not be puzzled by this Terror database failure, as whenever you put that many programmers on a single project you are just asking for trouble. But I have to wonder what the heck they were doing, to fail this badly with the ‘Terror Database Upgrade’? This is not a very big database- in fact 500k names is puny. And they let go 800 people who were just part of the team? Even if they are cross-referencing thousands of other databases and blobs of information, the size of the data is trivial. Who the heck could have spent $500M on this? What, did they write it in ADA? Can’t find enough good Foxbase programmers? For a couple of million, I bet you could hire a herd of summer interns and re-enter the data into a new system if need be. It’s a “Terror Database” all right, just not the way they intended it to be. MIT develops a network analysis tool that “enables managers to track likely hacking routes”. Wow, really? Oh, wait, don’t we already have a really good tool that does this? Oh yeah, we do, it’s Skybox! Share:

After a hectic week of being locked away in a warehouse in Denver, I’m sitting in a hotel room in Vancouver getting ready to board a ship to Alaska. Now that’s it’s all over I can give a few more details as to what I was up to last week. As I’ve mentioned before, I’m on a federal emergency response team. I won’t identify the team, otherwise I’d have to get approval to write about it, but we’re one of the groups that’s called in to deal with major disasters. Our team is one of a few specialized ones, and aside from regular disaster work we’re dedicated to providing medical response to any incidents involving a weapon of mass destruction. We’re trained to provide medical care and mass decontamination under pretty much any circumstances (thus all the hazmat training). We’ve never actually responded to any WMD incidents, and sometimes I wonder how much longer we’ll have that mission. Back when the team was created there weren’t any significant decontamination resources in the country; even the military only had 1 domestic team. Now, pretty much every fire department has at least some decon capabilities. Still, we’re the most capable team out there in terms of resources and capacity, so perhaps we’ll survive a little longer. The one place we do get used is during designated National Security Events, like the DNC, where we are pre-positioned in case something happens. While it would take us up to 24 hours to travel to a random incident, when we’re pre-positioned we can be there within minutes. Thus I spent a week locked up in a warehouse (and I do mean locked up) just in case something bad happened. Since we were on clock, rather than sitting around all day we crammed in a ton of training. Since I’m just an EMT, and no longer a paramedic, it was nice to go through some of the advanced classes I normally don’t get access to any more. Nice to know I can still pass Advanced Cardiac Life Support; a class I haven’t taken in over 10 years. We covered everything from driving off road vehicles in Level A hazmat suits, to air monitoring, to disaster medicine, to pediatric advanced life support. Living in a warehouse for a week with 58 other people, spending my 12 hour shifts in training and cleaning bathrooms, was a surprisingly motivating experience. There’s really nothing more motivating than working with a well-oiled team under difficult circumstances. While emergency services doesn’t pay the bills any more, it definitely feeds the soul. While on deployment I managed to miss the 1 year anniversary of Securosis, L.L.C. It’s hard to believe a full year has passed and I’ll write more on that later. We’ve got some big plans for the coming year, and I’m excited about some of the opportunities in front of us. But right now it’s time to sign off for a week and enjoy my first real vacation in I can’t remember how long. My wife and I aren’t generally the cruising type, but we figured that’s the best way to see the glaciers on a tight timeline before they all melt. The site and business are in Adrian’s hands as I run off and play with bears and icebergs. I’ll be checking in on email, but don’t expect a response until I get back unless it’s an emergency. I hope you all have as good a week as I’m expecting, and those of you down south please stay safe with all the storms. Share:

Very nice article by Ken Schachter over on the Red Herring site yesterday. Aladdin Knowledge Systems, the Israeli security firm that was recently in the news after acquiring the Secure Computing SafeWord product, was itself the target of a takeover bid. The bid comes from Vector Capital, the backers of SafeNet. The opening bid was rejected, but this looks like the typical negotiating dance, so I expect we will see more activity in the coming weeks. Aladdin has an interesting mix of encryption products as well as the eSafe line of web and content security appliances. It is not clear to me if Vector’s intention is to merge companies, but that would make sense. It While Aladdin has a great deal of overlap with what SafeNet provides, there are considerable synergies as well, both in the areas of a combined DRM offering, content filtering as well as Aladdin’s products possibly utilizing SafeNet hardware. Regardless of long term vision and synergies, with Aladdin Q2 revenue slump and 52 week low share price, they are an attractive target. It will be interesting to see how this plays out. Share:

Nice article over on MSN about data mining and analysis of credit card purchases to adjust people’s credit score. In a nutshell, some of the card issuers are looking at specifically what people are purchasing, not just payment history, in determining credit worthiness. Worse, they will adjust the credit score over time. So the FTC has file suit against at least one company, CompuCredit, for ‘deceptive’ marketing practices, which does not really capture the essence of the problem. I am not sure if it can be legally called a privacy violation, but it my mind this is exactly the heart of the issue. This goes well beyond my typical ‘beef’ with companies that use my personal data to my detriment. Yes, I admit that I do not like the fact that a credit score is a made up number by the credit industry, and the entire credit scoring system is for the credit industry, with nebulous guidelines on how we play this game. But more or less, pay your bill on time, get a decent score. But by examining what we purchase in the context of our credit heavy culture, and then associate a value judgment of that purchase, is a very slippery-slope. Any good data mining software, with access to complete purchase histories, will very quickly come up with a profile of who you are, what your preferences are, and categorize your choices as a risk score. Purchase something a credit agency does not approve of, and pay more for your home loan. Almost everything that you can buy could have a social value associated with it, and you will be ranked by the preferences and values of the institution who issues the credit. Through this sort of profiling of race, gender, ailments, addictions, affinities and other traits will be identified and penalized, which is the nature of the complaint against CompuCredit. And I would wager that the ability to detect sexual orientation or religious affiliation could be added if they chose to do so. In my mind, this is very much the definition of Redlining, and one of the many tangible examples of why I harp on data privacy so often. Hopefully the FTA will come down on them hard. And for those of you were not worried about this, I know a few security professionals whos’ week in Vegas will have their FICO skimming in the low 5’s if their purchases are being evaluated. Share:

For the record, yes, those hazmat suits are really freaking hot and sweaty. I guess that’s what they mean by, “vapor barrier”. No, nothing freaky is going on; that’s just a picture from an old practice. And that’s pretty much how I’m spending this week- training, practicing, and cleaning bathrooms. I’ve talked about the value of training before, and it’s one reason we’re constantly practicing those critical skills until they become second nature. At this point, putting on a hazmat suit (level A, B, or C) is second nature. That’s the only way to survive if I ever have to wear one during a real incident. It’s an opportunity I highly doubt I’ll ever experience, but it’s also the kind of thing you can only screw up once. One of the classes I’m taking this week is Basic Disaster Life Support. It’s a fairly new class that focuses on medical management in massive incidents from the natural (earthquakes) to the man made (blowing stuff up). The biggest lesson I’m taking away from this class isn’t some specific technique for managing a specific injury but a single general principle with direct applications in the IT world- What’s next? When donning a hazmat suit it means what’s the next step? Boots, mask, hood? Then, when something fails (and it will) what do you do next? In a disaster it means what happens after you’ve exceeded your plans. Finished getting all those patients out of your hospital when the big storm is coming in? Great, where are you going to send them next? Oh, the ambulances. Right, um, how many of them are there? Where are they going? When we plan for disasters that’s the one question we need to ask at every step, and keep asking. Forever. We need contingency plans for our contingency plans. It really isn’t any different in IT. The parallels to the business continuity side are easy to draw. What happens when the power goes out? Okay, the generators just ran out of gas, what next? The roads are flooded so you can’t get more gas, so what’s next? Same thing for security, except usually we’re talking defenses. Web application firewall? Great, what happens when some bad guy gets past it or they skip it by hitting the database from a compromised internal machine? How about if they had an 0day you didn’t know about and now own the machine? And eventually you’ll run out of answers, because at that point there’s either nothing to do or it’s time to just turn it all off, or let it burn and collect the insurance money. But through the process of constantly asking that question you’ll develop a methodical, mechanical approach to solve seemingly insurmountable problems. You’ll even learn that sometimes it isn’t just having the right answer, but continuously moving (or appropriately pausing) that eventually gets you past those obstacles. What’s next? Never assume. React faster, and better. Stay in school. Don’t do drugs. Share:

Securosis Guest Editorial On occasion we invite some of our non-blogging friends to steal our thunder. Jesse Krembs, known as Agent X to those of us at DefCon, is a network engineer at undisclosed locations out East. He’s one of the guys who keeps the tubes running, and, on occasion, loves a good rant. I couldn’t sleep last night. I’ve been thinking about the MIT/MBTA hacking controversy lately. Zack Anderson, RJ Ryan, & Alessandro Chiesa are not the victims of this saga, although that plays a lot better in the media. Truth is, the MBTA is the real victim here. I can completely understand exactly where the MBTA is coming from, and why they ran to the lawyers. They are out of their depth, dealing with smart kids screwing with their systems (and livelihood) in a very public manner. The MBTA’s not in the business of running secure systems- far from it, they are the business of moving people & making the trains run on time. This is a harrowing tasking, fraught with enough complications without some kids mucking around in the back office. The MBTA didn’t request a security audit; they got audited, in the same way that a burglar cases a house before breaking in, or a mugger sizes up a mark. But unlike a burglar just looking for a single score, as far as the MBTA could tell these students were cracking the entire system and teaching the public how to do it themselves. The worst part is this was 100% avoidable. The big mistake that the MIT boys made was to treat the victim like the enemy instead of like a client. What they did is valuable; valuable enough to get an “A” from Ron Rivest, valuable enough to be presented to a crowd at Defcon 16. Valuable enough that the MBTA is willing to pay lawyers to shut them up and sort it out. If the MIT students had disclosed what they had found to the MBTA first in an honest and forthright manner, I wouldn’t be writing this. Had they done the responsible thing, everyone could win, the MIT kids could have had an awesome summer gig securing the MBTA, the MBTA & the people of Boston could be more secure. Maybe that sounds idealistic, but the MIT name carries enough weight the odds are they could have engaged in a real project, not an adversarial relationship. The baddies wouldn’t know much more then they know now. The MIT boys could even have still given their talk at DefCon. Instead, with all the arrogance of youth & higher education, the boys from MIT sco ed contact with the MBTA. They made the MBTA the enemy; the ogre in the cave, without even giving them a chance. And let’s be honest, it isn’t like this was a security issue affecting the health and safety of the train-riding public; it targeted revenue generation, and releasing the vulnerability details didn’t do anything to help the public at large. Well, the law-abiding public. Please grow up; in the connected world there are very few ogres in caves any more, and they don’t let you ride their trains. The difference between black hats and white hats is a line, and it’s a gray one. But occasionally it gets a little contrast. When you treat the person or organization with a security problem like a victim or and enemy, then you’re the bad guy. You’re basically fucking them over, sometimes hard, sometimes gently, but it’s still a screw job. When you treat them like a partner, then everyone wins. Sure, sometimes they don’t want partners, and sometimes you have to go public because they put the rest of the world at risk, but you don’t know that until you try talking to them. Finally I should note that in the end the only people winning in this case are the lawyers; the kids won’t win in the way they want, nor will the MBTA. The lawyers, on the other hand, always get paid. I understand the principle of free speech, but at the same time I also don’t believe in yelling “FIRE!” in the movie theater. The right of free speech is a gift from our Founder Fathers; use it responsibly. Finally, when you start to hack the grown-up systems of the world, be prepared to behave like adults. /rant -Jesse Share:

As many of you know, I’m more a washed -up paramedic than a security analyst. My youthful indiscretions tended to involve ambulances and fire trucks (you’d be amazed at all the fun things you can do with them when no one is looking). Although I’m just an EMT these days, I’m still on a federal response team for disasters and other large incidents. In a couple hours I’ll be heading out to wear uniforms for a week and sleep with 60 other people in an undisclosed location (don’t worry, I’m not breaking opsec by revealing that). I’m just a low level grunt on the team but find that a little manual labor does the soul some good on occasion. I may still get some writing done since we should have a fair bit of down time, but I won’t be very responsive over email. A day after that, I head off for a real vacation – my wife and I are cruising Alaska before it all melts. If I try to work on that trip I’ve been told I better practice my cold water swimming skills. Still, I’ll be checking email for emergencies. The next couple of weeks will definitely be ones of contrasts. Share:

Next week I’ll be out of the office on one of my occasional stints as a federal emergency responder. I haven’t had the opportunity to do much since we responded to Katrina, and, to be honest, am surprised the team still lets me hang on (it’s in Colorado, I’m in Arizona, and I don’t get to train much anymore). Who knows how much longer I’ll get to put a uniform on- the politics of domestic response are a freaking mess these days, with all the cash funding the war, and I won’t be surprised if some of the more expensive (and thus capable) parts of the system are dismantled. Hopefully we can hang on through the next election. Anyway, enough of my left wing liberal complaints about domestic security and on to incident management. Although I haven’t written much about it on the blog (just the occasional post), one area I talk a lot about is incident response and disaster management. Translating my experiences as a 9-1-1 and disaster responder into useful business principles. I’m frequently asked where people can get management level training on incident management. While SANS and others have some technology-oriented incident response courses, the best management level training out there is from FEMA. Yes, that FEMA. For no cost you can take some of their Incident Command Systems (ICS) courses online. I highly recommend ICS 100 and ICS 200 for anyone interested in the topic. No, not all of it will apply, but the fundamental principles are designed for ANY kind of incident of ANY scale. If nothing else, it will get you thinking. And while I’m at it, here’s a definition of “Incident” that I like to use: An incident is any situation that exceeds normal risk management processes. Although I’ve sat through a lot of the training before, I never actually went through the program and test. I’m fairly impressed- these are some of the better online courses I’ve seen. Share:

One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer’s, “Satan is on My Friends List”. Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it. In my case it wasn’t that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that’s not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren’t really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing. I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you’ve sent me a link request because you read the blog or listen to the podcast, and I haven’t responded, that’s why. Otherwise it loses any usefulness as a tool for me. One of Shawn’s recommendations for protecting yourself is to build a profile, even if you don’t actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it’s easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that’s worth. One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven’t really stayed in touch with many people from high school days; in my mind’s eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we’re not all that old, but at 37 we’re far past any reasonable definition of youth. Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive. Share: