Login  |  Register  |  Contact

Friday Summary

Friday, March 27, 2009

Friday Summary: March 27, 2009

By Rich

It is absolutely amazing how quickly time can rush past during the most momentous moments of your life. It was over three weeks ago that my daughter was born, and I’m still trying to figure out what the f&*% just happened. A lot of people made it sound like my life would suddenly crash to a halt as I vaulted into some other dimension of existence, but the changes, while massive, are also far more subtle and confusing. Needless to say, I blame the reduced sleep (which still isn’t as bad as it was in paramedic school).

While my personal life is changing, so is the world that is Securosis. You may have noticed my nearly complete lack of blogging the past couple of weeks. While I’d like to blame The Nugget, our changes on the corporate side are just as big. We’re close (oh so very close) to unveiling our new website, a major new public project, and a big influx of content. We’re so close that this blog is officially in maintenance mode as we get the last of the old content transferred to the new site, our templates cleaned up, and new content filled in. And the refresh is just the start; as we get the new site stable we are going to keep adding features and content, the vast majority of which will be, as always, free.

On a related note, we’re also working on our RSA schedules, and when the new site launches we will officially announce the Securosis Recovery Breakfast. I’d like to say we’re giving back to the community, but the truth is we’ll need the hangover relief just as badly as any of you.

And now for the week in review… at least what little of it I managed to notice:

Webcasts, Podcasts, Outside Writing, and Conferences:

  • Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site.
  • Rich and Martin hosted another episode of The Network Security Podcast this week, covering some of the CanSecWest news and other happenings.

Favorite Securosis Posts:

Favorite Outside Posts:

  • Adrian: Gunnar Peterson on security people in software development.
  • Rich: John Gruber, at Daring Fireball, on Obsession Times Voice. This is pretty much the most important thing John has written about in a long time. Flat out- if you blog and are obsessed with numbers, you won’t achieve your goals. I barely check our stats, maybe once every other month, and once missed the fact that we had no stats for 3 or 4 months. It’s your passion for writing that brings in readers, not pandering for page views.

Top News and Posts:

Blog Comment of the Week:

Dre on Security Speedbumps:

No No No No No. Layers and defense-in-depth do not work unless you know YOUR OWN risks and point-solution defenses match the risks. “Layering for layering’s sake” does get adversaries poking right through billions of expensive layers. Don’t tempt me to argue against every point in this rant — you just set yourself up for massive failure.

–Rich

Saturday, February 28, 2009

Friday Summary: Feb 27, 2009

By Adrian Lane

It’s Friday again and time for the summary. It’s been a yin & yang kind of week for me, with mixed blessings and curses all around.

On the down side, Friday is always the day for bad news. It’s the day that Fannie Mae, Countrywide and others announce impending disaster so as to lessen the impact on the market. I just have to wonder if they learned that from Office Space. Based upon what I am seeing in the press, and some things here in Arizona, this Friday will be no exception as I expect there to be another big bank announcement. Four friends have lost jobs in the last week and are struggling to find any work, and I am going to have to help a friend move this weekend because their house is going back to the bank. One person I know had someone access their bank account with a fake ATM card, and my next door neighbor got a call Tuesday from Wells Fargo as someone was trying to make a “Phone Cash Advance” on their account. And yet another indication that the system is broken is the credit shell game, with Experian no longer willing to sell credit scores to consumers. Technically, they were not doing it before, but when pushed to sell consumers the real FICO scores, instead of the “FAKO’s” they have been providing, they decided to bow out. Should we just go back to cash? That would solve a lot of problems.

On the positive side we here at Securosis are in a very good mood and have high hopes for the future. Principal among the reasons for this is we are officially on “Nugget watch”, or rather we are waiting for the little Mogull to arrive soon. Mom is in good health and spirits while Rich is furiously decorating, arranging and preparing for the arrival. Male nesting … it’s simultaneously cute and sad to watch. But I have to say, the baby’s room looks great! Stay tuned as I will post something as soon as I hear more news.

I had several conversations with different SIM/SEM vendors this week and I view the changes as positive. It’s no longer “Gee, look at all this neat data we have” nor trying to convince customers how great aggregation is (gaak!), and more about using that data to solve business problems and building some intelligence into the products. Rich and I are seeing some very cool things happening around encryption and key management that should make a lot of people very happy, and we will begin the encryption series we promised in the next couple weeks. And it looks like Motorola found some loose change under the couch, spinning out Good Technology to Visto; Visto should be able to put the technology to good use. That’s all positive! Rich & I are both wrapping up a couple of interesting projects and about to commence on new ones as well so things are busy. I am even starting to get excited about going to Source Boston and seeing a bunch of friends. Maybe we will even get to see where Mr. Hoff lands!

Rolling into the weekend I am focused on the positive, so here it is, the week in review:

Favorite Securosis Posts:

Favorite Outside Posts:

Top News and Posts:

Blog Comment of the Week:

Allen Barronov on Will This Be The Next PCI Requirement Addition:

If you are putting money down I’ll take you up on it let me just get some poor sucker’s credit card details in case I lose.

On a serious note: DLP is very reactive.

One advantage is that your CEO doesn’t have to say (quoting from Bob Carr) “we were alerted by Visa” which sounds very weak and can really be read as “we had no idea that people stole information from us until someone else told us about it”. This is apparently quite normal.

Proactive is to analyse the entire PCI process from start to end and secure it accordingly.

A few companies that I have had the privilege of working for have firewalled their “process network” off from their main business network. The reason to do this is really to protect availability. If a virus hits the business network then the (real) money making part of the business can still function - there may be pain but the gadgets still get made/gathered/fixed/etc.

A payment processing business should think: PCI transmission is different from the normal network traffic and they should separate it accordingly. If Sue from Accounts gets a virus on her PC, it should not impact on PCI processing in any way (CIA).

I really like DLP but it is not a cure for bad network design.

I guess the answer is layers. Good network design (based on Business Processes) with DLP to catch the drips.

“You know what else everyone likes? Parfaits.” Donkey in Shrek.

Now, I am off for some more stealth photography.

–Adrian Lane

Friday, November 14, 2008

Friday Summary

By Rich

I have to say, Moscow was definitely one of the more interesting, and difficult, places I’ve traveled to. The city wasn’t what I expected at all- everywhere you look there’s a park or big green swatch down major streets. The metro was the cleanest, most fascinating of any city (sorry NY). I never waited more than 45 seconds for a car, and many of the stations are full of beautiful Soviet-era artwork.

In other ways it was more like traveling to Japan- a different alphabet, the obvious recognition of being an outsider, and English (or any Western European language) is tough to find outside the major tourist areas. Eating was sometimes difficult as we’d hunt for someplace with an English menu or pictures. But the churches, historical sites, and museums were simply amazing.

We did have one amusing (after the fact) incident. I was out there for the DLP Russia conference, at a Holiday Inn outside of Moscow proper. We requested a non-smoking room, which wasn’t a problem. Of course we’re in a country where the average 3 year old smokes, so we expected a little bleed-over. What we didn’t expect was the Philip-Morris conference being held at the same hotel. So much for our non-smoking room, and don’t get me started on the smoking-only restaurant. Then there was my feeble attempt to order room service that led to the room service guy coming to our room, me pointing at things on the menu, and him bringing something entirely different.

Oh well, it was a good trip anyway. Now on to the week’s security summary:

Webcasts, Podcasts, Outside Writing, and Conferences:

Favorite Securosis Posts:

Favorite Outside Posts:

Top News:

Blog Comment of the Week:

Ted on my Two Kinds of Security Threats post:

You get more of what you measure. It’s pretty easy to measure noisy threats, but hard to measure quiet ones. Fundamentally this keeps quiet threats as a “Fear” sell, and nobody likes those.

–Rich

Friday, October 24, 2008

Friday Update: It’s 0day Week!

By Rich

Holy 0day Batman!

What started as a quiet week definitely got a little more interesting yesterday as Microsoft released an out-of-band patch for a critical vulnerability affecting most versions of Windows. It’s been a while since MS had to push out an emergency fix like this, and boy was it a whacky vulnerability. For those of you who haven’t kept up on it, it is a flaw in the RPC service that allows remote code execution without authentication. What’s really interesting is that this flaw is in a part of the code base that was patched already for a very similar problem.

What’s even more interesting is that this was discovered due to active exploits in the wild. I’ve been known to be a little persnickety about definitions, and I’ve never liked that we call all unpatched vulnerabilities zero-days. In my book, a true 0day is a vulnerability that is being actively exploited but we don’t know about it. The bad guys have information we don’t and are using it against us. When the details are public, but no patch is available, I just consider that an unpatched vulnerability. But who am I to say- I still consider hackers good guys.

On a totally different note, I think I found a minor security flaw in the RSA Conference session submission system. It appears that if you submit a session and add a speaker, you can overwrite some of the attributes of that speaker if they are already in the system. Minor, but annoying since I was submitted for something like 10 sessions and part of my bio kept changing while I was submitting my own stuff.

On that note, it’s time to head off and start decorating for our annual Evilsquirrel Halloween Party. We have about 13 tubs of decorations we’ve collected since my old roommates and I started holding parties around 1995 or so. I even have homemade animatronics I built using microcontrollers and other geeky stuff.

Yeah, I fear for my impending children too, but the neighborhood kids love us. At least the ones who don’t pee themselves when the motion sensor kicks off. Webcasts, Podcasts, and Conferences:

Favorite Securosis Posts:

  • Rich: Your Simple Guide to Endpoint Encryption. I’ve been writing a lot about market issues lately, and I really enjoy it when I can give out practical advice.
  • Adrian: WAF vs. Secure Code vs. Dead Fish. Look folks, we’re far too polarized politically in this country to fight out over which of these things solves our problem better, when both are equally good and bad.

Favorite Outside Posts:

  • Adrian: Rsnake captures the everyman experience and puts the fun back into Internet browsing. I mean, can’t we all just get along?
  • Rich: Andy reminds us what it’s like to work in the real world. Researchers, analysts, and vendors often forget what it’s like to be in the trenches, even though most of us have been there. I think it’s refreshing to read about Andy’s pain. Er… maybe that wasn’t the best way to say that.

Top News:

Blog Comment of the Week:

Windexh8er’s comment on the Microsoft vulnerability post:

So even though this sort of thing is less common as SDLs mature further (honestly Microsoft is doing a much better job in this space — but legacy code that’s in the OS is still there). This just goes back to the position wherein do corporations really need client side processing? Some may have valid reasoning (i.e. graphics / architecture / modeling / etc), but for the majority of the end users out there in corporate America they really don’t need a fully functional end system. In a Microsoft environment I’d like to see the next iteration of OS go to stripped down systems like you can leverage in Server2k8 – obviously most “work” today from a variety of different locations and the laptop has overwhelmingly displaced the standard desktop workstation for day to day business. With that respect the standard installation should be minimalistic at best. Stripped stack, host based filtering (in and out), no user rights with the exception of approved applications and then strictly managed socket / protocol connections to approved devices. Give them what they need through established connections. At that rate client processing goes way down and visibility and control sky rockets. It’s far too much for any given internal IT / IS departments to manage numerous deployed apps and multiple desktop configurations in the state business as usual is running today. Everyone I know has a corporate laptop (these are big businesses right) but all of these users can pretty much all connect to outside networks and do casual computing – even if it’s restricted, it’s still wide open enough to let the user infect themselves unknowingly. I’d love to do a formal PoC, like this, with one of my large clients. Cost savings alone over the course of 5 years after implementation would be reason enough to justify a path like this. I realize it’s nothing ground breaking, but the design and architecture down to the n-th degree would make it truly stand out as unique and original in today’s networks.

–Rich

Friday, October 10, 2008

Friday Summary, 10-10-2008

By Rich

What a wild, wacky, crazy week. I have a funny suspicion a lot of stock brokers and investors are scraping together their spare change for some major liquid escapes this weekend. As a small business we haven’t felt the impact yet, but we are keeping a close eye on things and preparing to adjust our strategy as needed. Security deals are definitely slowing- we sense an impending rush of acquisitions, and a general feeling of nervousness. The need for security never goes away, but if you aren’t making plans to protect yourself through this crisis, you might go away. Someone responded to a Twitter post of mine that this will be over before the next president takes office; I can’t possibly imagine that happening.

Meanwhile, we watched the usual spectacle of the Presidential debate. Since I already know who I’m voting for, I’m not sure why I watch them at all. Like NASCAR, I suppose I don’t want to miss out when someone smashes into the wall and bursts into flames. On the security front, this week we saw more clickjacking details emerge, Apple release a security update, the World Bank get totally pwned, and Symantec make a major acquisition at a good multiple. But don’t get too excited; we also know a lot of investors pushing early exits at low multiples to save what they can. I don’t mean to focus so much on the finance side of the security world, but I think we’re going to see it bleed into our daily operations as the vendor landscape shifts around.

Over here at Securosis central I continued to geek out and work on our infrastructure. We may be small, but we’re trying to set up some cool collaboration tools to support us as we grow. For you other small business types, the wiki/blog/calendar/mail group integration of OS X Server works surprisingly well, although I don’t think it would be my first choice for an external web server. I just wish it would index documents attached to the wiki. I also ordered a Drobo for our backups and I’ll let you all know how it works.

Oh- and on my run yesterday I saw two coyotes in the park near our house watching me. Very cool.

Webcasts, Podcasts, and Conferences:

  • Martin and I have started broadcasting the Network Security Podcast live as we record it. In episode 123 (my luggage combination!) we talk about electronic voting, China spying, and clickjacking.
  • If you didn’t catch it in the October print edition of Macworld, here’s the online version of the firewall article I coauthored with Chris Pepper.
  • I wrote an article on mobile phone networks for TidBITS that made the front page of Slashdot. I think it’s about the 6th time I’ve hit the front page this year, which is pretty wacky. The TidBITS server had a massive failure unrelated to the Slashdot load right after the article was linked (oops).
  • I was quoted over at Dark Reading on the license changes to Metasploit 3.2. I know I wrote that quote, but reading it now it comes off strangely ambiguous. For the record, I think it’s a great change that will really drive some interesting things in the pen testing software world.
  • Adrian and I were invited by Jeremiah Grossman to a lunch event here in Phoenix with his company (WhiteHat Security) and F5. It was nice to finally get a demo of the F5/WhiteHat integration (WhiteHat generates dynamic WAF rules on the F5 box to block validated vulnerabilities; it’s pretty cool). Jeremiah also showed us his clickjacking code/demo. I almost wondered if I downplayed it too much after seeing it at work. On the bad side, some slimeballs from a local ISP decided to show up, enjoy a free lunch, and proceed to hit up every single one of us there as their personal sales prospects. I pretended I was out of business cards, but they snagged one of Adrian’s so he’ll get the call. Talk about low.

Favorite Securosis Posts:

  • Rich: Clickjacking Details, Analysis, and Advice. I tried to put some context around it, and talk about the overall impact. Direct from Rsnake is some advice on limiting the exploit.
  • Adrian: Symantec Buys MessageLabs. Symantec pays a hefty price, but they land a leader in SaaS email security and fill out their messaging security portfolio.

Favorite Outside Posts:

  • Adrian: I had trouble naming any single post my favorite for the week. There was a most shocking, a scariest, a most depressing and a most sadly illuminating. I am going with the illuminating look into the minds of Sequoia Capital and their reactions to the current financial crisis. This should look a lot like the tech crash of 2001, and frankly, I hope this information was conveyed to their portfolio companies 9-12 months ago as the window to react has passed.
  • Rich: Gunnar Peterson’s Innovators, Imitators, and Idiots. Just a great post that I need to blog about more fully later.

Top News:

Blog Comment of the Week:

Christophe’s comment on My “Policies, Plans, and Procedures” post:

Alas, I work in a former communist country where people were used to signing awful things, and hide whatever they did from upper eyes. I sure have an agreement, signed by all users, stating their responsibility, but that means almost nothing to them.

Time for happy hour with some of out local financial analyst friends. Smart guys who are doing well through this mess, so we plan on getting them loaded and sucking up the advice.

–Rich

Friday, October 03, 2008

Friday Summary

By Adrian Lane

The Securosis team is attempting to regroup and prepare for a busy Q4. It took three full days, but I am fully migrated into the Mac Universe and engaged in a couple of research projects. Now productive, I can finally start work on a couple research projects. Rich has left HQ in search of coffee, quiet and a security muse while he catches up on writing projects and white papers. But even though we have a short term ban on travel and conferences, there is a lot to talk about. Here is our summary of this weeks blogs, news and events.

Webcasts, Podcasts, and Conferences:

Favorite Securosis Posts:

  • Rich: Impact of the Economic Crisis on Security. It doesn’t matter if you are a vendor or practitioner, we’ll feel the effects of this crisis, but in a predictable way.
  • Adrian: Email Security. It’s getting cheaper, faster and easier to implement, but with some potential privacy issues depending on how you go about it.

Favorite Outside Posts:

  • Adrian: Brian Krebs post on lawsuits against ‘Scareware Purveyors’. Finally. Infecting someone’s machine with spyware and using it as a marketing and sales conduit is akin to stealing in my book. Now if they would only go after the purveyors of this scare tactic.
  • Rich: Fyodor explains (probably) the looming TCP attack. Fyodor, creator of NMAP, does an excellent job of explaining how the big TCP DoS attack likely works.

Top News:

  • The recovery bill. Law makers look panicked, and the market goes down every time they get close to a ‘solution’.
  • The TCP Denial of Service attack. Nothing to panic about, and we’ll write more on it, but very interesting.

Blog Comment of the Week:

Chris Pepper’s comment on Rich’s “Statistical Distractions” post:

[snip]... I refuse to use unencrypted email, but that”s to the SMTP/IMAP/POP/webmail server. But for email we have to keep in mind that the second hop – to the destination SMTP server – is almost always plaintext (unencrypted SMTP). So it’s more about protecting the account credentials than about protecting the email itself, but someone gaining full access to my whole multi-gigabyte mail store would really really suck. …[/snip]

Now, I am off to The Office for the Securosis weekly staff meeting. We hope you all have a great weekend.

–Adrian Lane