Securosis

Research

What a Silly Search

I went to the Broncos vs. Cardinals game yesterday here in Phoenix (Broncos won, in case you were wondering). On the way in we were subject to a pat down of the type I discussed here. What a joke. Basically, it looks like the employees at the gate were given strict, rote guidelines on how to search. Some of it good (no use of the palm of the hand, to limit accusations of groping), but most of it bad. I’m fairly certain that you don’t need to brush the entire length of someone’s arm when they’re wearing a t-shirt. Also, it’s probably kind of important to check someone’s coat pockets. While an untrained observer might look at one of these searches next to one of the ones we used to perform and think they’re the same, a trained observer will pick up on a stark difference. These guys moved their hands by rote on a pre-set pattern. The searchers never adjusted based on the person, and never used their eyes. It’s like they were magnetometers without brains. Our teams, even the untrained temporary help, were instructed to use their eyes and heads. Don’t just follow the same pattern over and over (although we had a minimum pattern to start); use a little judgement. Most of the time it might look the same, but the odds of finding something are significantly higher. Then again, maybe I’m just waxing nostalgic and we weren’t any better. But seriously- if any of you are senior managers in the NFL give me a call- you’re wasting everyone’s time and increasing your risk of lawsuit with what I saw. Share:

Share:
Read Post

Do Not Open Any Unexpected Microsoft Word Files

I wasn’t planning on writing about this, but with the release of a third unpatched MS Word vulnerability it’s time to be extra careful. I’m assuming this will be patched soon, but for now I’d limit yourself to only documents you are darn sure are safe. I’d tell you to stop using Word, but that’s just silly and unrealistic. Just be safe, okay? Share:

Share:
Read Post

If You Release It You Can’t Control It.

I’m on yet another airplane, this time up to Seattle for another client meeting. I felt really bad for the non-English-speaker being berated by security at the airport for daring to bring 4.2 full ounces of liquid in his bag, as opposed to the 3 ounce limit. Anyway, every now and then I see a convergence of different tidbits hitting from multiple directions that points to a single issue. This time it’s about controlling content after you make it public. I’m consistently amused by the utter shock and dismay of various individuals and corporations when… gasp.. someone takes something they made public and does something… and you won’t believe this… unexpected and unapproved with it! How dare they share that file, deep link that news article, satirize that press release, re-work the data, or, worst of all, republish sale prices posted on a web site! Here’s the thing- if you make something public, you can’t assume it won’t be used in unintended ways. From friends sharing that new song just discovered, to a website pre-posting sales prices before Black Friday. I’m not saying it’s always legal, sometimes it is and sometimes it isn’t, but what I can say is that you’re foolish if you don’t prepare and plan for unintended use. People are people. They do unexpected things during every moment of consciousness and unconsciousness. Security is fallible, and we can’t prevent everything. If you make something public; heck, sometimes if you even share it privately, the only assumption you can make is that you can’t completely control what you release. What’s the old saying? If two people know a secret it’s only really secret if one of them is dead. Personally, I say knock them both off just to be safe. Share:

Share:
Read Post

Quiet for a Few Days

I’m out in Colorado with the wife to catch up with friends (I used to live here) and test the snow for proper friction (snowboarding up at Copper, where I used to patrol). And, uh… what was it… oh yeah. Work with a client. While I’m sure I could invent all sorts of crappy metaphors on how security is like snowboarding (keep your knees bent and your weight forward or the firewall crashes?), I think I’ll just sign off for a few days and enjoy the snow. Remember- there are no friends, or blogging, on a powder day. Share:

Share:
Read Post

We Don’t Enjoy Touching You

Adam at Emergent Chaos has a quick post on the lawsuit against the Seattle Seahawks over physical searches at the stadium. My response? Get over it. I performed more pat downs than I care to admit. Sometimes thousands on a given day. It ain’t fun, and I never enjoyed touching all you smelly, drunk, think-you’re-hotter-than-you-are types out there. It was, however, a great workout for your quads after the first few hundred squats to check the ankles. The main reason for searches at football games isn’t weapons (except at Raider’s games), it’s booze. The biggest safety concern during most sporting events is drunks. More specifically, it’s testostahol. When selling beer in a stadium there is a minimum level of control and patrons can be cut off when obviously drunk. No, it isn’t perfect, but it’s more effective than most of you realize. When patrons bring in hard alcohol things can get very ugly. Aside from fights, there are a lot of associated medical concerns (drunks like to fall down, pass out, and do other stupid stuff). Based on personal experience, the more you can screen up front (including denying entry for obvious intoxication), the less you have to deal with inside. Some items, particularly cans and bottles, are also very hazardous in a stadium environment. I’ve seen people nearly killed by an errant beer can thrown from the crowd at the crappy ref. As for the legality, go look at the back of your ticket. Even if built using public money, a stadium during an event is a private facility. Otherwise, technically, anyone could go for free. On all your tickets to any concert or game is the provision that you can be denied entry for any reason. Refusing to subject yourself to a search is a good reason. Besides, court houses, legislatures, military bases, and all sorts of other facilities are bought with public money and subject to security rules for public or private safety. What makes a stadium any different? Get over it. No one wants to pat down your ugly ass anyway, so it’s not like they enjoy it. Share:

Share:
Read Post

Barenaked- Stripping DRM

I travel a lot, and on occasion I’ll run Nmap or some other scanner from my hotel room to get an idea of what’s out there, and how dangerous these hotel networks really are. To be honest it’s not something I do all that much anymore since even scanning an open network is running the risk of being considered over the line. But I just discovered a new security tool. It’s free. And it even plays music! Yes, the ever venerable and recently updated iTunes turns out to be an honest to goodness, if limited, security scanner. How? Well, I arrived in my hotel room last night, connected to the network, and launched iTunes for some background working music. Very quickly I saw four shared iTunes libraries on the network (without even looking actively, if you have iTunes set to find shared libraries they pop up all on their own after that). Some of my fellow traveler’s musical tastes are fairly interesting. In three of the four libraries the users conveniently included their personal name in their shared library name. One user even had the word “Limewire” in his (judging by his real name) library name. Huh. I wonder if he acquired all the music legally? Thus iTunes is now my new network security tool- I can instantly tell if I’m connected to a switched or segregated network, and even pick up the names and listening habits of other hotel guests. Anyone know if the RIAA offers a bounty? I mean they sue grandmothers and children, I don’t see why they wouldn’t start a confidential informant project. (Update 9/16 : DM and Chris Pepper remind me this feature isn’t anything new. Actually, I’ve used it for years on my home network, but this is the first time I’ve noticed random users on a hotel network and I found it amusing.) Share:

Share:
Read Post

Registered Traveler Program is a Security Scam

Electronic voting seems to be popping up again thanks to our favorite digital ostrich, Diebold. Martin Mckeay’s also writing on this a bit, and it’s well worth reading. This isn’t the first time I’ve mentioned this, and I didn’t come up with the idea, but with the most recent Diebold gossip I think it bears repeating. Gambling systems, electronic or physical, undergo extensive testing, validation, and auditing. We’re not just talking hacking, they shock the darn things with cattle prods and attack them using such phenomenally creative techniques that I’m awestruck the few times they show it on Discovery channel specials. And it’s the complete system that’s tested and audited constantly- even the odds distributions among video poker clusters in casinos (which are audited externally by various gambling commissions in the sin city of your choice). What does this have to do with voting? Gambling systems are somewhat unique in that pretty much everyone involved has an incentive to cheat everyone else. Were talking about a system where no one can really trust anyone. Sure, casinos (at least in Vegas) are on the up and up, but do any of you really trust them? They sure can’t afford to trust us, and pretty much no one trusts the government. The result? Some fracking good security. So here we have a highly secure system of numerous specialized electronic devices operating in a networked (or non-networked) environment with near-perfect auditability. Hmm, where else might we want a similar system? Heck- they even already have testing labs and audit standards. Funny how closely related gambling and politics are. I wonder if cattle prods are illegal in voting booths? I wonder how long Diebold would survive in Vegas? (I’ll be the first to admit us security types have a habit of blabbing on any topic we can possibly stuff into the security bucket, but electronic voting happens to be one of the areas where our experience is directly applicable. I don’t know too many (any) security types that try to justify Diebold’s positions. They’re either criminal or mentally incompetent.) ((And speaking of casinos- one of my favorite memories of Defcon was how none of the stores in the casino would take credit cards during the event.)) Share:

Share:
Read Post

NIST Recommending Decertification of DRE E-Voting?

Reported over at Internetnews.com. The National Institute of Standards and Technology (NIST) is recommending that the 2007 version of the Voluntary Voting Systems Guidelines (VVSG) decertify direct record electronic (DRE) machines Not verified yet, but this could be a very major development, if true. I don’t completely agree with ba ing all DRE- they play a valuable role for disabled voters and a few other demographics. During the last election I watched one older gentleman leave to go get a magnifying glass, since he couldn’t read the optical scan ballots. Requiring a stronger voter verified paper record for a recount, rather than ba ing all DRE, seems more reasonable. Share:

Share:
Read Post

The Security Mindset

A few months ago I picked up a Western Digital external hard drive at Costco since my MacBook’s internal drive was a bit stuffed with digital photos. The WD drive is a pretty nice USB drive and really portable. The problem? I started having some intermittent failures on the drive. Since this is where I now keep my wedding photos (backed up somewhere else, of course) I decided to return it before it totally died on me. I got the replacement drive, packed up the original, and heading to the shipping store… … where I realized I hadn’t wiped the drive. While it’s just photos, and none of them are of an embarrassing nature, I still don’t relish the idea of seeing them “enhanced” and posted on MySpace. Lucky for me I use a Mac and safe erasing is an integral part of Disk Utility. I ran the program, clicked the security options button, and chose the 7 times overwrite option. 7x might be overkill for some non-sensitive photos, but I figured it would be a good test to see how long it takes. The answer is about 7 hours for a 120 GB USB 2.0 external drive. For the record. Oh well, I guess it isn’t going out today. But I’m darn glad I remembered to wipe the drive before shipping it back. I’d really hate to see any pictures of our cat show up on some sick kitty-porn site. And I’m really glad Apple makes it so easy. Microsoft also has secure formatting options, but generally you need a third party tool (or write your own script) to get the same degree of security. Unless the data is encrypted, without overwriting it’s pretty likely someone can recover it. Then again, smashing is probably faster. But Western Digital might not appreciate a smashed return. I’d probably lose my deposit. (edited 9/10 to add disk size of 120 GB) Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.