Research

Internet troll “weev” sentenced to 41 months for AT&T/iPad hack Weev is a total sociopath (not just a troll), and I have no sympathy for him. He wouldn’t know altruism if it kicked him in the nads, and I have little doubt his goal was to harm AT&T with his discovery. But, by all appearances, this is a weak case and a stretch of the Computer Fraud and Abuse Act with consequences not only for legitimate security research, but for Internet use in general. But don’t make him a martyr or an antihero. Weev is vile scum, who appears to be getting off on all the attention. If he wins on appeal he is bound to end up in jail sooner or later, but at least then it will be for a real crime, and hopefully will not bad establish case law with chilling effects. Share:

I am pretty upfront about my turbulent job history. Some of the issues were due to not doing enough homework up front before taking a job. But as I look back I am not sure I would have made different decisions about which jobs to take even if I had done more homework. A post at SCMagazine by Justin Somaini makes a couple good points about what questions to ask before taking a CISO job. Understanding a company’s standing is always important. Is the company losing revenue? Have executives and/or board members left? Is the company prime for a takeover? Are competitors dominating the industry? All of these questions help determine a company’s health: a factor that will be critical to know if you’re going to make the right move. While risks can pay off, you want to know what you are getting into. A company in turmoil will be more resistant to funding projects, hiring new staff, or making security a priority. Okay, that’s pretty obvious. You need a shot upside the head with a clue bat if you aren’t really scrutinizing the financials and market position of any potential employer. One of the worst aspects of security groups, let alone IT, is staff management. It is common to have to restructure a team based on skills gaps. So always try to determine how large the team is in relation to the overall company and IT staffing. Typical security groups for companies of 10,000 to 15,000 full-time employees will have 25 to 30 staff. This does not include IT operational teams that I usually leave in a separate group. Is last year’s attrition rate at the typical 10 to 15 percent? Is the staff located in key areas for the company? Are there cascading goals from corporate objectives? Are reviews done quarterly and historically attached to goals? What are the results of the latest employee survey? Has there been a layoff or hiring freeze in the past 18 months? As with financial assets, not having the right human capital will only make your job tougher, so ask the questions. I am not sure you will get real answers to these questions. If you are interviewing for the senior role on any team you should expect the senior management to tell you that you will be able to make the necessary changes to deliver results. Of course you can meet all the folks already on the team, but in my experience everyone is on their best behavior during the interview process. They will blow smoke in your hind section if they think they can salvage their jobs. So you won’t really know what folks can do and the internal douche quotient until you get boots on the ground and dig in. That’s why I highly recommend a rent-to-buy scenario. Take a 3-month consulting gig, with the expectation that things will work out and you’ll become permanent at the end of that probationary period. That mitigates risk on both sides and can prevent serious mistakes. I have a good friend who did exactly this prior to a relocation. Within a month he knew the situation wasn’t a good fit, and he exited gracefully after his contract was up. Let me throw one more point at you. There is no excuse for not making a few phone calls to learn what may not be obvious during interviews. Call some folks who will provide honest answers about culture and work environment. Yes, I’m taking about former employees. It still amazes me the number of folks who do not call me before taking a job I had – working for the same folks. I could have given them an informed perspective on some of the good and a lot of the bad. Of course it’s my opinion, but it’s another data point in a pretty important decision. But go in with your head up. Understand you won’t know everything you need to know. Things will be different. Sometimes you’ll be pleasantly surprised. Other times not so much. Which is part of the game. Photo credit: “Rent-A-Center store” originally uploaded by benchilada Share:

As a huge NFL fan with the DTs without a game to obsess about each week, I am constantly looking for parallels between football and my daily existence. Adrian talked a bit in one of his Incite snippets last week about how Facebook uses red team exercises to make sure they are prepared for the real thing. Luckily, the answer was yes, because the incident wasn’t real. It was the first of two large-scale red team exercises that Facebook has conducted in the last year. Red team exercises are certainly not a new concept–they’ve been around in the military world for decades and carried over into network security. But few of them are conducted in the way that this one, known internally as “Vampire”, was. McGeehan’s team kept the ruse going for more than 24 hours and kept close tabs on the way that the various participants reacted, communicated and disagreed. The idea, of course, is to prepare the teams for a real-life incident. And this comes back to something we hear in football circles every week. It’s all about the preparation. The teams put the work in (at least the ones that win), and they trust their preparation and just play on Sundays. They are ready and they give themselves a chance to compete. “We’re very well prepared now and I attribute that to the drills,” he said. “I’m not sure it would have worked as well otherwise. It felt like the second time we were responding to it and we were all ready for it. It was a much more calm, smooth response. [The exercises were] an incredible net positive.” The security world is no different. If you spend all day fighting fires and not preparing for incidents, how can you (and your team) expect to perform when the brown stuff hits the fan? You can’t. Which is fine. Though your management may have a different opinion. So you are best off making it very clear that based on staffing, expertise, funding, whatever, certain things aren’t getting done. Rather than Adrian’s call for the proverbial Security Chaos Monkey to be constantly testing your defenses, I prefer to focus on how to behave given the fact that you don’t have the resources to prepare properly for incidents. As I harp constantly, if you want to have any longevity as a CISO (or another senior security role), you had better get good at managing expectations. Of course that may not save you if (when) things go south. But at least you will have made it clear that you did not have the resources you needed, to the person responsible for getting you those resources. I underertand that many proud security folks would rather be caught dead than actually admit they can’t do their jobs. Which is too bad because excessive pride tends to be a major factor underlying high CISO turnover. Photo credit: “Untitled” originally uploaded by dabruins07 Share:

One of the things I miss least about doing marketing on a daily basis is product reviews. Of course when you win it’s awesome. You can then puff up your chest and take a victory lap as the sales folks use the review to beat down the competition. But when you lose it totally sucks. And depending on the culture of the company, unless it was a clear and decisive victory, it may be taken as a loss. Which requires damage control, forcing you to spin why the test was flawed. Then you need to question the integrity of the reviewer. That makes you many friends in the media community. Basically you have to figure out a way to make manure smell like roses. And no, it doesn’t usually work. So I wouldn’t want to be the folks responsible for running the NSS firewall test at WatchGuard. They got hammered. You can see the value map by registering on Dell SonicWALL’s site, but you can get the highlights and see WatchGuard’s beatdown in this CRN summary of the report. “Although WatchGuard demonstrated a good level of exploit protection, it was let down by its poor antievasion capabilities and a suboptimal price-performance ratio,” NSS Labs noted in its report. Frank Artes, director of research at NSS Labs, said the company also had some shortcomings to its system management capabilities. The company’s system manager was not as scalable and mature as other vendor products. WatchGuard was the only vendor tested by NSS Labs that was given a “caution” designation. The only vendor given a caution designation. Ouch. So their response is what? Dave Taylor, vice president of corporate strategy at Seattle-based WatchGuard, said the technology is tuned as a unified threat management appliance and not as a firewall. Really? It’s tuned as a UTM and not a NGFW? WTF? He is basically acknowledging that the product isn’t a modern device. Who doesn’t want to buy a modern device? Who wants to buy yesterday’s technology? Spin FAIL. But I am trying to understand why they participated in this test. Clearly, if every other vendor has a product with a modern architecture, and you don’t, the best thing to do is to not participate. But they did and it didn’t end well. Did I mention I don’t miss dealing with product reviews? Photo credit: “62:365 – Taster Testings” originally uploaded by Nomadic Lass Share:

The rhetoric about cyberattacks is nearly deafening. It seems like my Twitter timeline blows up every day about cyber-this or cyber-that. Makes me want to cyber-puke. Since Mandiant pointed the finger at China everyone seems to be jumping on the bandwagon of tough talk and posturing. Take example #1: The US is now fielding teams to play offense and respond to computer attacks on critical infrastructure. I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” Gen. Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone. Uh, this is news? Maybe that there is finally acknowledgement that the US (along with every other first world nation) invests in building cyber-attack capability. I know it’s hard to remember, but a few short years ago there was an uproar when Anonymous documentated that HBGary was proposing to build weaponized exploits. Where’s the uproar now? Oh yeah, now it’s politically correct to defend ourselves. This is media-driven nonsense. I doubt the strategy has changed at all, except maybe accelerated a bit. Though it will be interesting to see if and how sequestration impacts these kinds of investments. Rich recently pointed out that China is fundamentally different because they use military hacking apparatus to help commercial Chinese entities gain intelligence that helps them win big contracts. Obviously Israel’s announcement that their cyber-defense capabilities will be used to protect private Israeli enterprises is different, but it is another clear indication that the line is blurring between the private and public sectors. As it should. The Defense Ministry will set up a new body to support local defense industries in coping with cyber threats, ministry director-general Maj.-Gen. (res.) Udi Shani announced Tuesday. And if you need another data point showing ‘cyber’ is the new hotness, the CEO of BP disclosed on CNBC that BP Fights Off Up to 50,000 Cyber-Attacks a Day. Cybersecurity is a growing issue around the world, not only with companies but with governments,” Dudley observed. “We see as many as 50,000 attempts a day like many big companies … to my knowledge we haven’t had an incident that’s taken away data from us, but we’re incredibly vigilant. Clearly someone is hiding something from the CEO here, but he pulled the plausible deniability card in the form of “to my knowledge…” But if he’s right and they haven’t lost any data that would make them only such company. And before you start bitching in the echo chamber about how the hype is getting in the way of you doing your job because you are being paraded in front of the board and up to the CEO’s office once a week, remember when no one gave a crap about security. It’s always good to be careful what you wish for. Share:

Raising children in the age of the Internet is both exhilarating and terrifying. As a geek I am jealous of the technology my children will grow up with. You can make the argument that technology always advances, and my children will feel the same way about their offspring, but I think the genesis of the Internet is a clear demarcation line in human history. There is the world before the Internet, and the world after. The closest equivalents are the rise of agriculture and the Industrial Revolution, and I argue the Internet hit harder and faster. Mix in mobile devices, near-ubiquitous wireless data, and “the cloud”, and the changes are profound. Part of me feels incredibly lucky to have lived through this change, and another part is sad it wasn’t around sooner. It is an exciting time to raise kids. The resources available to us as parents are truly stunning. We have access to information resources our parents couldn’t conceive of. Want to know how to build a robot? Make the perfect sand castle? Build a solar-powered treehouse? Answer nearly any imaginable question? It’s all right there in your pocket. Anything my children choose to explore, I can not only support, I can get the supplies deliverd with free two-day shipping. My kids will grow up with drones, robots, 3D printers, and magical books with nearly all of human knowledge inside. Which isn’t always a good thing. Once they figure out the way around my filters (or go to a friend’s house), there won’t be any mysteries left to sex. Not that what they’ll find will represent reality, and some of it will warp their perceptions of normality. They will post their innermost thoughts online, without regard to what that may mean decades later. They will see and learn truly horrible things that, before the Internet, were physically isolated. They will witness lies and hatred on a colossal scale (especially if they post anything in a gaming forum). I accept that all I can do is try my best to prepare them to understand, filter, and think critically on their own. But I truly believe the benefits outweigh the dangers. Like this author, I will flood my children with technology. They have, today, essentially infinite access to technology. I don’t limit iPad time. I don’t count the television hours. We don’t restrict the laptops. This may change as they grow older, but my gut feeling is that the more you restrict something, the more they want it. And our family’s lifestyle is more centered on physical activity and creating than consuming. There is, however, one place where I have started restricting technology. Not for my children, but for myself. This week as I sat in the parents’ observation area at our swim school, I noticed every adult head wasn’t focused on their kids, but on the screens in their hands. Go to any playground or Chuck E Cheese and you will see more parental heads staring down than up. I noticed I do it. And my children notice me. Children, especially young children, don’t necessarily remember what we try to teach them. They, like nearly every other species, learn by watching us. And they remember absolutely everything we do, especially when it involves them. I don’t want my kids thinking that the screen in my hand is more important than they are. I don’t want them thinking that these wonderful devices are more important than the people around them (well, I do prefer Siri over most people I meet, but I’m a jerk). I can’t just tell them – I need to show them. I have started weaning myself off the screen. When I’m with my family, I try to only use it when absolutely necessary, and I verbalize what I’m doing. I am trying to show that it is a tool to use when needed, not a replacement for them. I am not perfect, and there are plenty of times it’s okay to catch up on email in front of my kids – just not when I should be focused on them. And, to be honest, once I got over the initial panic, it’s nice to just relax and see what’s around me. It doesn’t hurt that my kids are damned cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on Watering Hole Attacks. Adrian’s DR post: Database Security Operations. Favorite Securosis Posts Mike Rothman: Compromising Cloud Managed Infrastructure. You cloud is only as secure as the web interface you use to configure it… Adrian Lane: The BYOD problem is what? Rich: Ramp up the ‘Cyber’ Rhetoric. Other Securosis Posts Email-based Threat Intelligence: Quick Wins. Email-based Threat Intelligence: Industrial Phishing Tactics (New Series). A Brief Privacy Breach History Lesson. Incite 3/13/13: Get Shorty. Could This Be the First Crack in the PCI Scam? TripWire nCircles the Vulnerability Management Wagon. Untargeted Attack. Email-based Threat Intelligence: Analyzing the Phish Food Chain. In Search of … Data Scientists. Encryption Spending up in 2012. Security Education still an underused defense. Favorite Outside Posts Mike Rothman: Father hacks ‘Donkey Kong’ for daughter, makes Pauline the heroine. Hacking for the win. This is the right example to set for young girls. They can do anything they want. Adrian Lane: Which Encryption Apps Are Strong Enough to Help You Take Down a Government? People talk about privacy, but Matt Green arms you with some tools to actually help. The question is would you actually use these tools. Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry. Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names – in a word: insane. Top News and Posts Spy Agencies to Get Access to U.S. Bank Transactions Database Microsoft and Adobe release patches to fix critical vulnerabilities. Deja patch. Obama Discusses Computer Security With Corporate Chiefs. Update on iOS 6 exploitation. TL;DR: it’s really hard. Blog Comment of the Week This week’s best comment goes to Nate, in response

The big ChoicePoint breach of 2004 was the result of criminals creating false business accounts and running credit reports on hundreds of thousands of customers (probably). Every major credit/background company has experienced this kind of breach of service going back decades – just look at the Dataloss DB. Doxxing isn’t necessarily hacking, even when technology is involved. All this has happened before, and all this will happen again. Even very smart humans are fooled every day. Share:

It’s hard to believe, but my family and I have been in Atlanta almost 9 years. The twins were babies; now they are people. Well, kind of. I grew up in the Northeast and spent many days shoveling our driveway during big snowstorms. Our 15 years in Northern Virginia provided a bit less shoveling time, but not much. But the ATL is a different animal. It snows maybe once a year, and the dusting is usually gone within a few hours. I can recall one time, over the past 8 winters, when we got enough snow to actually make a snowman. We are usually pummeled by one good ice storm a year, which wreaks havoc because no one in the South knows how to drive in bad weather, and I think there are a total of 3 snow plows in the entire state. Now that it’s starting to warm up a bit I look forward to breaking out my flipflops and summer work attire, which consists of shorts and T-shirts. Unless I have a meeting – then I wear a polo shirt. But that’s still probably 6 weeks away for me. Having grown up with the cold, I hate it now. I just don’t like to be cold. I get my Paul Bunyan on with a heavy lumberjacket (one of those flannel Thinsulate coats) to take the kids out to the bus in the AM. Even if it’s in the 40s. I have been known to wear my hat and gloves until May. Whatever it takes for me to feel toasty warm, regardless of how ridiculous I look. The Boy has a different opinion. It’s like he’s an Eskimo or something. Every morning (without fail) we have an argument about whether he can wear shorts. Around freezing? No problem, shorts work for him. Homey just doesn’t care. He’ll wear shorts at any time, literally. There was one morning earlier this year where I called his bluff. I said “fine, wear your shorts.” It was about 35 degrees. He did, and he didn’t complain at all about being cold. I even made him walk the two blocks to the bus and stand outside (while I sat in the warm car). He didn’t bat an eyelash. But the Boss did. I took a pounding when he came off the bus in shorts that afternoon. I tried to prove a point, but he took my point and fed it back to me, reverse alimentary style. No matter the temperature, a hoody sweatshirt and shorts are good for him. His behavior reminds me of returning to NYC after a college spring break in Acapulco many moons ago. Most of us were bundled up, but one of my buddies decided to leave his Jose Cuervo shorts on, while wearing his winter jacket. It was about 20 degrees, and after a week of chips and guacamole and Corona and 4am Devil Dogs (and the associated Montezuma’s revenge), we just absolutely positively needed White Castle. Don’t judge me, I was young. My friend proceeded to get abused by everyone in the restaurant. They asked if he was going to the beach or skiing. It was totally hilarious, even 25 years later. I can totally see the Boy being that guy wearing shorts in the dead of winter. But part of being a parent is saving the kids from making poor decisions. The Boss is exceptional at that. She proclaimed the Boy cannot wear shorts if it will be below 50 degrees at any time during the day. There were no negotiations. It was written on a stone tablet and the Boy had no choice but to accept the dictum. Now he dutifully checks the weather every night and morning, hoping to get the high sign so he can wear his beloved shorts. Who knows, maybe he’ll become a meteorologist or something. Unless they tell him he can’t wear shorts on air – then he’ll need to find something else to do. –Mike Photo credits: Taking a jog in shorts after Winter Storm Nemo originally uploaded by Andrew Dallos Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training in Reading, UK April 8-10. Sign up now. Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Quick Wins Analyzing the Phishing Food Chain Industrial Phishing Tactics Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Everything increases risk if firewall management sucks: In this week’s mastery of the obvious piece, we hear that Segmentation Can Increase Risks If Firewalls Aren’t Managed Well. The article provides a bully pulpit the firewall management vendors to tell us how important their stuff is. Normally I’d lampoon this kind of piece, but operating a large number of firewalls really is hard. Optimizing their use is even harder. Do it wrong, and you create a hole big enough to drive a truck through. So after years of maturing, these tools are finally usable for large environments, which means we will be doing a series within the next month or so. Stay tuned… – MR Preparation: I loved the idea of Netflix’s Chaos Monkey when I heard of it. An application that looks for inefficient deployments and deliberately causes them to fail. Very much in the Big Data design philosophy, where you assume failure occurs regularly – which both makes Netflix service better and continually verifies system resiliency. So when I read Threatpost’s How Facebook Prepared to Be Hacked I thought it would be

A sports clothing retailer is suing Visa to recover a $13M fine for a potential data breach. The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based. PCI is designed to push nearly all risks and costs onto merchants and their banks through a series of contracts. The PCI Security Standards Council has stated that no PCI compliant organization has ever been breached. This is a clear fallacy – merchants pass their assessments, they get breached, and then PCI retroactively revokes their certifications. Fines are then levied against the acquiring bank and passed on to the merchant. When a breach occurs, the card companies collect their fines from the third-party banks that process the card transactions, instead of the merchants, who have more incentive to fight the fines. Third-party banks then simply collect the money from the customer’s account or sue them for uncollected balances, using the indemnification clauses in their contracts to justify it. The card companies collect their fines with no hassle and merchants, in the meantime, are left fighting to dispute the fines and get their money back from the card companies. In this case, the retailer (Genesco) is suing Visa for violating their own policies, especially since there was no evidence that card numbers were exfiltrated or used for fraud. Watch this one closely. If it succeeds there will likely be a flood of similar cases. This case doesn’t seem to attack the root of the PCI system itself (the contract system), but I could see that easily getting wrapped into either this case or a future one if Genesco is successful. Seriously – I don’t think all of PCI is bad, but the PCI SSC claims that no compliant organization has been breached is a load of (my favorite word beginning with ‘s’). That position and their policies on fines convinces me PCI is a scam. Especially since they even try to intimidate PCI assessors who speak negatively about PCI in public (yes, direct warnings to shut up or else, I have been told). The card companies, especially Visa (who pulls most of the strings), have a chance to change course and clean up the issues that undermine a program that could be very beneficial. But PCI is currently losing what little legitimacy it has. Share:

It’s funny how you suddenly remember random conversations from months ago at the strangest times. I recall having breakfast with some of my pals at TripWire at RSA 2012 (yes, 13 months ago), and them peppering me about the vulnerability management market. Obviously they were shopping for deals, but most of the big players then seemed economically out of reach for TripWire. And there was nothing economically feasible I could recommend for them in good conscience. What a difference a year makes. It seems the Thoma Bravo folks have TripWire hitting on all cylinders, and they are starting to flex some of that cash flow muscle by acquiring nCircle, one of the 4 horsemen of Vulnerability Management (along with Qualys, Tenable, and Rapid7). Both are private companies, so we won’t hear much about deal value, but with alleged combined revenue of $140 million in 2012, the new TripWire is a substantial business. As I wrote in Vulnerability Management Evolution, VM is evolving into more of a strategic platform and will add capabilities like security configuration management (as opposed to pure auditing) and things like benchmarking and attack path analysis to continue increasing its value. TripWire comes at this from the perspective of file integrity and security configuration management, but they are ultimately solving the same customer problem. Both shops help customers prioritize operational security efforts by poses the greatest risk – in concept, anyway. And for good measure, they both generate a bunch of compliance-relevant reports. The video describing the deal talks about security as business value and other happy vision statements. That’s fine, but I think it undersells the value of the integrated offering. You see, TripWire has a very good business assessing and managing devices using a device-resident agent. nCircle, on the other hand, does most of its assessment via a non-persistent agent. We believe there will continue to be roles for both modalities over time, where the agent will be installed on important high-risk devices for true continuous monitoring, and the non-persistent agent handles assessment for less-important devices. It’s actually a pretty compelling combination, if they execute the technical integration successfully. But this isn’t our first rodeo – good technical integration of two very different platforms is very very hard, so we remain skeptical until we see otherwise. In terms of market analysis, the deal provides continued evidence of the ongoing consolidation of security management. TripWire has said they will be doing more deals. Qualys has public market currency they will use to bring more capabilities onto their cloud platform. Tenable and Rapid7 both raised a crapton of VC money, so they can both do deals as well. As VM continues to evolve as a platform, and starts to overlap a bit with more traditional IT operations, we will continue to see bigger fish swallowing small fry to add value to their offerings. Our contributor Gal brought up the myth of TripWire’s ecosystem and questioned the openness and accessibility of integration, given what they have accomplished to date. I’m more inclined to put every vendor’s ecosystem in the BS camp at this point. TripWire and nCircle will be tightly integrated over the next two years. They don’t have a choice, given the drive to increase the value of the combined company. Any other integration is either tactical (read: customer-driven) or for PR value (read purple dinosaur driven). Security companies pay lip service to integration and openness until they reach a point where they don’t have to, and can control the customer (and lock them in). To think anything else is, well, naive. To wrap up, on paper this is a good combination. But the devil is in the integration, and we have heard nothing about a roadmap. We heard nothing about what the integrated management team will look like. Nor have we heard anything about go-to-market synergies. There is a lot of work to do, but at least it’s not hard to see the synergy. Even if it’s not obvious to Jeremiah. Photo credit: “Circling the Wagons” originally uploaded by Mark O’Meara Share: