Research

It’s a new year, so let’s get physical and personal. I wondered what people do about physical security specifically – how do you protect your laptop while on business travel? Hotels, airports, cars, etc. We have all seen that “road rules” can be pretty different, so what precautions do you take to ensure your laptop and devices return home safely? Do you always carry your laptop? Carry a lock? Have ways to hide it? It seems like there are no real 100% answers or ‘best’ practices – just least-bad practices, and answers I hear are an interesting mix of personal and technology options. I asked a number of folks and here is what they said. (please comment on your own “least bad” approach) “I usually carry my laptop. But have left it in an in-room safe and locked in my bag. I don’t leave anything out and visible.” Hotels: “On rare occasions that I leave it in my room, i leave the Do Not Disturb sign up. Disinformation FTW. I think the real answer is try to travel with tablets and not laptops if possible” “I try to avoid traveling with a laptop anymore, although I still need it for conferences usually.” “I use the do not disturb trick, and I never use the hotel safe since that’s the first place they’ll look. I bury my laptop in my clothes bag when I leave it. With an 11-inch MacBook Air, that’s easy. But the truth is it is disposable for me. I’d be out the money, but being well encrypted I don’t worry about data loss. And everything is synced anyway.” I have only been able to do this for the past few years thanks to Dropbox and a few other things. (This one is from our very own Rich Mogull). “I rarely travel with a laptop, and keep a short lock on iOS devices.” On TSA: “I don’t care about TSA – nothing to hide. But I do shut down if I’m someplace where I worry about cold boot (China).” What are your road rules? Share:

GigaOm offers a fascinating glimpse into Netflix’s EC2 architecture: Netflix shows off how it does Hadoop in the cloud: “Hadoop is more than a platform on which data scientists and business analysts can do their work. Aside from their 500-plus-nod[sic] cluster of Elastic MapReduce instances, there’s another equally sized cluster for extract-transform-load (ETL) workloads – essentially, taking data from other sources and making it easy to analyze within Hadoop. Netflix also deploys various “development” clusters as needed, presumably for ad hoc experimental jobs.” The big data users I have spoken with about data security agreed that data masking at that scale is infeasible. Given the rate of data insertion (also called ‘velocity’), masking sensitive data before loading it into a cluster would require “an entire ETL cluster to front the Hadoop cluster”. But apparently it’s doable, and Netflix did just that – fronted its analytics cluster with a data transformation cluster, all within EC2. 500 nodes massaging data for another 500 nodes. While the ETL cluster is not used for masking, note that it is about the same size as the analysis cluster. It’s this one-to-one mapping that I often worry about with security. Ask yourself, “Do we need another whole cluster for masking?” No? Then what about NoSQL activity monitoring? What about IAM, application monitoring, and any other security tasks. Do you start to see the problem with bolting on security? Logging and auditing are embeddable – most everything else is not. When the Cloud Security Alliance advised reinvestment of some savings back into security, I don’t think this is quite what they had in mind. Share:

Identity management on mobile devices: How do we do it? I have been taking a lot of calls on mobile identity issues and solutions over the last three months, and I am just as confused now as when I started looking into this subject. And I think the vendors I have spoken with are reaching, in their assessments of the right course of action and where the market is heading. If you want to implement identity on a mobile device, what do you do? Option 1, Crawl: Use a mobile browser and capture user names and passwords just like we do on the desktop. But mobile browsers kinda suck. People don’t want to use them and they suffer many of the same security problems we have had for a decade (see OWASP Top 10). Option 2, Toddle: Augment with OAuth tokens. Is OAuth 2.0 even a standard? But what about the security issues of encryption, digital signatures, and bi-directional verification of trust? Option 3, Walk: Adopt the ‘App’ model, and create an IAM app, which handles all the complicated identity stuff on your behalf. How does that app cooperate with other apps? How do we deal with personal and corporate personas? How do we deal with knowing the user is who they are supposed to be, and not a random person who found your phone? Option 4, Run: Use special features of the mobile platform, such as voice recognition on phones, or cameras for facial recognition? Will that work when I am on the subway or in Starbucks? Does Joe User want that – enough to pay for it – or will they look at such things as privacy violations? These are the options I am hearing about. And none of them seem to be fully thought out. And once we get past Toddle, who’s the buyer? Seeking wisdom, I scaled the mountain to discuss the topic with Securosis’s IAM guru, Gunnar Peterson. What I got was: “Mobile Identity? Ooohhh – it’s early days and it’s an unholy mess”. Yes, that pretty much summed it up. Gunnar agreed that this is the current progression, and that Identity definitely gets ‘stronger’ with each progressive step outlined, but it also gets much more complicated. Do you think I am over-reacting? Did I miss anything that concerns you? This is a topic we will dive into over the coming weeks, so I would like to hear from the community. Share:

The High Price of the Silence of Cyberwar: In today’s debate about cyberwar, all information disclosed seems to come with an agenda. Everyone evaluating the information is forced to look not only at the information, but the motivation for revealing that information. Worse, they can question if the information not revealed is shaped differently from what is revealed. A defender who reveals information regularly and in accordance with a policy will gain credibility, and with it, the ability to better influence the debate. Adam brings up an interesting point here, regarding whether there are advantages for nation states to discuss the kinds of attacks they are stopping. Of course, the quote above sums up the issue – which is balancing information versus disinformation and not causing a panic. Adam defends disclosure (mostly to a fault), and we need folks out there pushing for more information sharing, which is critical to evolving the practice of information security. That said, I do think in a lot of cases the public can’t handle the truth. They don’t want to handle the truth. They want to remain blissfully unaware of the impact of any attack, whether it’s an ICBM or a Stuxnet targeting their country’s critical infrastructure. What turns out to be a very brittle critical infrastructure – at least from an information security standpoint. Maybe we’ll get to the point where the military apparatus parades a country’s hackers through the capital like they do the tanks and armored militia, just to allay the fears of the populace that someone is defending the cyber frontier. Now that would be entertaining. Share:

Feds step up HIPAA enforcement with hospice settlement The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HONI’s settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee’s vehicle. For anyone still agonizing over deploying full disk encryption (FDE) on any device that handles protected data: Stop. It. Now. Just buy it. Yes, maybe the breach will happen to the other guy. Maybe the fines will hit the other guy. But clearly HHS wants to make examples of some folks, and you don’t want them to pick you. By the way, if you are worried about FDE costing a bunch of extra money, I’ll let you in on a little negotiating tactic. If you use Vendor X for endpoint protection, invite the rep in for a visit. Then strategically leave a mug from Competitor Y on you desk. Or maybe even give the rep coffee in the other vendor’s mug. Is that tacky? Sure, but it sends a clear message that you have options for endpoint protection. Which you do. Share:

Zero-day in the wild, in a popular exploit kit. From Brian Krebs: The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. Alienvault confirms: Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab. To the best of your ability, disable Java in browsers and keep it that way. Otherwise you need alternate compensating controls. No idea if EMET helps with this, but that’s one place to start looking. Share:

I can’t believe I forgot to post here when I put the article up on TidBITS, but here you go: Do You Need Mac Antivirus Software in 2013? While Macs aren’t immune to malicious software (malware), and we even experienced one reasonably widespread incident in 2012, malware on Macs is still not nearly common enough to recommend antivirus software for everyone. And while antivirus tools are effective against certain known attacks, they often don’t provide the level of protection people expect. … If Mac antivirus tools offered 100 percent effectiveness – or even 99 percent – I might take a different position. If we ever see massive volumes of malware, as happens in the Windows world, I might change my recommendations. But at this point, there are so few Mac malware infections, and antivirus tools are so limited, that for most users of current versions of OS X, antivirus doesn’t make sense. During the Flashback infection there were accusations that Mac users were too smug, or too ill-informed, to install antivirus software. But the reality is that antivirus tools offer only limited protection, and relying on antivirus for your security is as naive as believing Macs are invulnerable. Enterprises are a different story. Share:

But, he said, segregation of EHR data simply is not feasible or practical for integrated health systems such as Wellstar, … “But I also have to be able to make the information available immediately in an emergency,” he said. “A 90-second delay if you’re waiting at an ATM for your money is an inconvenience. But if it takes 90 seconds figure out if you’re allergic to penicillin, it could be a matter of life and death. Segregated healthcare networks rarely work, expert says Nice to see our friend Martin Fisher give some good quote in the CSO Online article and he’s right. As more integrated business systems become pervasive, they screw up your ability to segment networks. To be clear, segmentation is your friend, but that only works when you can segment. Otherwise you need to provide more access than you’d prefer, and that means the focus turns toward authentication (making sure the right people get on) and security monitoring. If you can’t keep them out, you had better be able to React Faster and Better. Share:

Tina Slankas presented at the Phoenix ISSA chapter this week on use of patterns for building security programs – slides can be downloaded here (PDF). The thrust of her idea was to use patterns – think design patterns if you like – for putting together control frameworks to define security efforts. Tina stated she was using the definition of ‘pattern’ in a very broad way, but the essence was reusable constructs for managing different aspects of enterprise security. For example: how identity management will function at a high level, and how will it fit with other systems. As a software developer or architect, patterns are invaluable for object-oriented programming, helping model complex ideas as a collection of simple patterns. To be honest, I abandoned the idea of secure design patterns for software architecture pretty much when I first got involved with security. I could not articulate security into the patterns, be they behavioral or structural. Maybe that was just my lack of skill at the time, but it felt like the complexities of how to secure code were beyond pattern descriptions. What was compromised was not as interesting as how it was compromised, and it usually turned out to be a process or protocol that got abused. It was the bits flowing between different patterns, or the ones left undefined, that I worried about. Trust relationships. Assumptions. Identity. Avoiding things like replay attacks. Repudiation. The problem space felt process-oriented, not object-oriented. But in terms of a control or management framework for IT systems, reusable patterns are an interesting idea. They help with consistency across multiple sites/deployments. They offer a layer of abstraction – you don’t care if the problem is solved by a firewall, a WAF, or DLP, so long as the required controls are in place and meet the requirements. Your could represent the entire PCI specification as a set of patterns. Unless you have a huge infrastructure to manage, I’m not clear how practical this is – but I am interested in the idea of security patterns. I remain skeptical of its value for secure code development, but I see its value for security program management. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich’s TidBITS post: Do You Need Mac Antivirus Software in 2013? Gunnar’s Dark Reading post: What Is It You Would Say That You Do Here? Adrian’s Dark Reading Post on DB Threats and Countermeasures. Securosis Posts $50K buys how much FDE? Java Sucks. Again. Most Consumers Don’t Need Mac AV. Integration vs. Segregation. DDoS: Distributed, but not evenly. Incite 1/9/2013: Never Lost. Detection vs. Protection and the Game of Words. ENISA BYOD FTW. Pwn Ur Cisco Phone. Understanding Identity Management for Cloud Service: The Solution Space. Prove It to Use It. Bored? Set up your own CA. Internet Explorer 8 0-Day Bypasses Patch. Favorite Outside Posts Adrian Lane: Hardening Sprints. What are they? Do you need them? I’m a big fan of the occasional hardening sprint to let each developer fix one thing that bugs them, to pull stuff out of the security bucket list, or to otherwise do quality control. James Arlen: Nather’s Law of Policy Management. Mike Rothman: State sponsored attack: a howto guide. For a change, Rob Graham is lampooning the prevailing wisdom. He’s very good that that. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find Infected Devices. Malware Analysis Quant: Metrics – Define Rules and Search Queries. Malware Analysis Quant: Metrics – The Malware Profile. Malware Analysis Quant: Metrics – – – Dynamic Analysis. Research Reports and Presentations Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Understanding and Selecting Data Masking Solutions. Top News and Posts Adobe fixes Flash Player and Microsoft patches IE 10 to update its built-in version. Under the hood of the cyber attack on the U.S. Banks. Facebook, Yahoo Fix Valuable $ecurity Hole$. Zero-Day Java Exploit Debuts in Crimeware. Does Your Alarm Have a Default Duress Code? How PCI Standards Will Really Die. Enhancing Certificate Security. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Bert Knabe, in response to Prove It to Use It. You mean you don’t believe it?! It’s from a government official! They never lie! Share:

It shouldn’t come as any surprise, but big financials are still suffering a wave of DDoS attacks. DDoS is like an accidental amputation – there is no question whether it’s a problem. The trick is to know ahead of time if you are on the list, and the best thing to do is keep an eye on your peers. Not everyone needs to invest proactively in DDoS protection, but you sure as heck need a plan and a vendor contact just in case. Especially if you are big, handle money, work with (or piss off) governments located “East” (Europe, Asia, Middle, whatever), or like to poke Anonymous. Update 1/9: According to the New York Times, a “former” gov official with connections says Iran is definitely behind the attacks. Backing up the rumors we’ve all been hearing from the start. Share: