Tuesday, May 27, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Updating platform [Roer.Com Information Security - Your source of Information Security]

Posted: 27 May 2008 08:04 AM CDT

This post only serves to inform my readers that starting today, I am upgrading my CMS - a task that should have been done a long time ago. 

Please accept and excuse inconveniences that this process may cause you. I plan to have it all sorted out during a couple of days, but knowing technology, things may take much longer. 

:) 

Money Mule Scam Targets Restaurant Owners [Vitalsecurity.org - A Revolution is the Solution]

Posted: 27 May 2008 06:32 AM CDT

Normally I'd throw this into the mid-week Spywareguide roundup thing, but we've had some publishing problems which would likely have meant the roundup consisted of one post anyway, soooo......

Click here to see the incredibly creepy set of emails sent to the intended targets of a rather horrible Money Mule scam. As a rule of thumb, if a group of travelers from the UK suddenly ask you to handle their flight arrangements (with a sizable chunk of money ending up in your bank account, before having to forward most of it onto a third party) then RUN AWAY QUICKLY AND DON'T LOOK BACK OR YOU'LL PROBABLY DIE HORRIBLY.

I exaggerate of course, but you do NOT want to get caught up in a money mule scam. Huge thanks to the person who sent the correspondence with the scammers to me - it's always good to highlight these kinds of activities and (hopefully) prevent someone out there getting into all sorts of trouble...

Dumping the admin password of the BT Home Hub (pt 2) [GNUCITIZEN Media Portfolio]

Posted: 27 May 2008 04:11 AM CDT

This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub (6.2.6.E at time of writing). I recommend you to read the previous post if you have not done so yet.

Black BT Home Hub

The BT Home Hub’s serial number - which is the default admin password - can also be found on UPnP description XML files. If you own a BT Home Hub, just notice the ’serialNumber’ tags on http://api.home/upnp/IGD.xml and http://api.home/dslf/IGD.xml

Note that no password is required to access such files, as they’re used for UPnP (authentication-less) operations. Note: UPnP is enabled by default on the BTHH.

The attack needs to take place either via the Ethernet or the WLAN (Wi-Fi) interface, just like the MDAP attack described in our previous post. Unless of course you use a cross-domain vulnerability such as XSS which allows you to remotely scrape the contents of the description XML files and send them to a third-party site. Remember that the default admin password is simply the serial number with the string ‘CP’ prefixed to it. In other words, if the serial number was 0633EHPSL, the default admin password for the Home Hub would be CP0633EHPSL. Enjoy!

Does the UK need a breach notice law? [Emergent Chaos]

Posted: 27 May 2008 02:43 AM CDT

Chris Pounder has an article on the subject:
In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals are protected because they have simple and free access to the Information Commissioner, who has powers to investigate any complaint and fine. Compensation for aggrieved individuals could arise from any significant security lapse.

In other words, all the features of a security breach notification law are now found in existing data protection legislation. ("Why we don't need a security breach notification law in the UK.")

It's an interesting analysis that breaches are already covered, and I think he's probably right. However, he's not certainly right. Attorneys are paid (in part) to argue, and I think most decent attorneys could construct an argument that the law is unclear.

I think there are two strong reasons to support a breach disclosure law: clarity and learning.

The argument for clarity is just that: the law may not be clear, and it will save U.K. organizations money to have a simple, clear law on the subject. (It can't cost more for notifications, because that cost, according to Pounder, is already present. Similarly, there's no increase in liability, that cost is already present.) But with a clear law, attorneys can't charge as much for analysis.

The second reason for a law is to charge a public agency with collecting and sharing information about what happened and why.

As organizations go through this pain, we should learn from it. Not learning from it entails going through it again and again.

There's a third reason, which is that even in the case of clear law, which exists in the US, only 3 of 21 retailers breached had told their customers. (Based on a Gartner survey, n=50.)

[Gartner analyst Avivah] Litan didn't know whether the retailers had broken state laws by not informing their customers of the breaches, but she said it was a possibility. Some of the breaches may have happened before applicable state laws were in effect. ("Most Retailer Breaches Are Not Disclosed, Gartner Says.")

Annoying webpage gimmick of the week [Vitalsecurity.org - A Revolution is the Solution]

Posted: 27 May 2008 02:17 AM CDT

...and it's only Tuesday, so you know it's gotta be pretty annoying. I'm on a friends Myspace page and I see this:



For whatever reason, the words "Pimp" and "Myspace" usually only ever go hand in hand when on a one way trip to disaster. Sure enough...


......blargh. It's like Maria Carey vomited on the screen or something. Obviously, we don't want to stay here any longer so after making my excuses, I'm about to close the tab.

However, it turns out clicking the "Close Tab" cross in Firefox, IE and all those other wonderful browsers is something this website would rather you didn't do:


But I want to see my website! My website!!!

Oh, the humanity. Think any more stupid popups will appear if you try to get rid of that one?


........Noooooooooooooooooooooooooooooooooo! etc

Sadly, the site you get unceremoniously dumped on at this point is a blank page, but thanks to the magic of the internet you can read all about it here.

So there we go, another sucktacular Myspace glitter site that probably wouldn't be as offensive if not for the stupid DON'T GO, STAY NOW LOL boxes of doom.

BT Home Hub Still full of Holes [Sunnet Beskerming Security Advisories]

Posted: 26 May 2008 07:57 PM CDT

British Hacker group GNUCITIZEN, and in particular Adrian 'pagvac' Pastor, have been focussing on the BT (British Telecom) Home Hub, an ADSL modem capable of acting as a wireless access point and interfacing with DECT compliant telephone handsets (the standard used in most cordless handsets) as well as supporting VoIP. In their past research, GNUCITIZEN identified several methods to compromise various features of the BT Home Hub, including the complete take over of the device by a remote attacker, provided that the local user could be convinced to visit a malicious website.

Some of the modifications made by BT to address the concerns raised by GNUCITIZEN included changing the default password of the Home Hub to the serial number of the device. On initial observation, this gives each device a unique root password that should be non-guessable by a remote attacker, neutralising the techniques otherwise used to compromise the system.

Recent work, however, has shown that this serial number is recoverable, and thus the control of the device. To achieve this feat, a local network request is made using Multi Directory Access Protocol (MDAP) which then results in the device responding with its ID number, which can then be pre-prended with 'CP' to give the serial number and the default password for the device.

Limiting the impact of the discovery is the requirement for the attacker to be on the same LAN as the router, either through a wired or wireless connection. Given that the wireless connection is only secured with WEP, it isn't going to take long for a casual wardriver to break into a targeted device. Alternatively, techniques described by other researchers, to allow probing of local LAN resources remotely could be blended to give the remote attacker all the information they need without actually having to be present on the LAN.

While this is a real concern, Adrian points out that there are still critical UPnP port forwarding vulnerabilities that leave the Home Hub just as vulnerable. Given the numerous capabilities of the device and what it is designed to be used for, anything that could allow a remote attacker to capture all Internet and telephony traffic passing through the device is going to have serious consequences.

If BT, the company that purchased noted security company CounterPane (including Bruce Schneier) can have critical security errors in their consumer level devices, it doesn't bode well for the many other ISPs that provide slightly modified devices to their own customers, even if they are nothing like the Home Hub in appearance or capability. As with any other network or computing device, the safest approach to take is to always assume that it is or can be compromised and be aware of what information is being sent through or stored on it.

Crossbranding now includes spam [Roer.Com Information Security - Your source of Information Security]

Posted: 26 May 2008 03:27 PM CDT

In Norway, where I am currently located, advertising for gaming is illegal. The same goes for alcohol, tobacco and many other things. 

Still, there are a couple of Norwegian TV-channels that floods its poor watchers with gaming adverts - because the company is located in London, and not within the Norwegian jurisdiction. And the past 3-4 months, the ads for gaming in these channels has increased dramatically. 

What I have noticed in the same period, is a dramatic increase in spam emails promoting craps, poker and a large amount of related ads. This led me to asking one of my security buddies in the US if the same is going on in the US. He said that no, no such trend was evident over there.

This has led me to consider that Spammers are no longer only using geographic data to tune their spam, but also offer to target particular areas and times when the clients are buying ads in other medias too - thus strengthening the message to the customer. 

This cross-branding, or cross marketing, is nothing new in RL - you see it in TV, papers and magazines around the year. What I find interesting is that now you can cross-brand yourself in magazines, TV, Radio AND by using spam - at the same time. 

Physicians and medics [RiskAnalys.is]

Posted: 26 May 2008 03:12 PM CDT

My thanks to Mike Rothman who last week gave me credit for "fighting the good fight".  I'd like to think he's right — it has been a bit of a struggle over the years, I'd like to think I'm winning (or at least managing a draw) as I continue the struggle, and I’d like to think it’s worthwhile.  Mike does seem to continue to question the pragmatism of my approach though, which is what this post is about.

Don’t get me wrong.  I greatly admire the work Mike does and wish he and his book had been around when I started out as a CISO.  Would have saved me significant pain and suffering.  On the other hand, if I'd had Mike's P-CSO I might have become complacent and ended up believing that's all there was to being a CISO.  Not that I think Mike is advocating complacency — he's not.  I also don’t think he discounts risk analysis concepts.  He's simply focused on helping that component of our profession who's just getting started or who faces other practical constraints in dealing with our very complex problem space.  His is a necessary and highly valuable contribution, and he provides it in an entertaining way that’s too rare.

Let me set this discussion in a medical analogy context.  If I was in the middle of nowhere or didn't have the resources for a physician, then a medic who's skilled in lifesaving basics would do just fine.  However, if the situation called for a deeper understanding of the complex, sometime subtle health considerations, then I'd prefer a physician.  Someone who didn't say;  "Boy, this anatomy and physiology stuff is complicated.  I'm just going to stick with 'The hip bone is connected to the back bone…'"   My physician may, of course, choose to follow a pragmatic, commonly-used course of treatment, but they'd be able to do so with a deeper understanding of the problem space, greater (but not perfect) certainty that the course of treatment would work, and a better ability to explain to me, the patient, why I had to swallow this bitter pill, undergo the knife, or have this long tube snaked into one of my orifices.  

Yes, I realize that physicians sometimes get it wrong, sometimes get wrapped up in fancy and even unnecessary procedures, and can drive up costs.  That’s just as true as what can happen at the other end of the spectrum — the shaman who operates entirely by superstition, faith, FUD, and intuition.  The point is, there's absolutely a need for both medics and physicians (and levels in between).  We, as professionals, can choose where we want to be within that continuum.  With this in mind, a few things to consider are:

  • In the heat of battle, when resources are limited, or when it just makes sense, physicians always have the option of behaving as medics and sticking with the bare essentials (the reverse isn't true).  In fact, the best physicians I’ve encountered are pragmatic in their approach but have the deeper knowledge to leverage when need arises
  • Medics might effectively deal with 80+% of our problems, but that remaining ~20% can be critical 
  • A person can start out as a medic and then become a physician later, as need and resources dictate  
  • Physicians tend to be paid more

Bottom line — knowledge and understanding are never a bad thing, but it requires extra effort to acquire them.  And, as Mike points out, the simple approach is often good enough and may be all we can hope for given our individual circumstances.  For myself though, I prefer a deeper understanding of our complex problem space.  I want to be able to answer the hard questions about why and how.  But that's just me.

BTW - I was amused at Mike’s characterization of risk analysis as Black Magic, as this phrase would also have been used in the past to describe medical and scientific concepts/practices we take for granted today.  

 

Until They All Come Home [Andy, ITGuy]

Posted: 26 May 2008 06:48 AM CDT

I just wanted to take a minute and say THANKS to all those who have served or are serving in the US Military. Today is Memorial Day here in the US. A time when we stop to remember those who died while serving our Country. It's also a day when we should be reminded of the sacrifice that is made every day by those who server in the military and their families.

It's a job that often goes without the thanks that is deserved. The work is often hard and dirty and the pay is no where near what is should be. Often they put their lives on the line to ensure that they are ready at a moments notice to answer the call. If they are in a combat zone then they are constantly on alert while in miserable conditions. Family members spend their days wondering if they will see them again. Yet life has to go on. Children are born while dad is away. Birthdays are missed, holidays are celebrated without them. Husbands, wifes, kids, parents all go through the day with a heavy heart waiting on the return of their loved ones.

I know because I have a close relative who is in a combat zone. He's there because he believes in freedom for all no matter the cost. He doesn't like being there but he is and he's doing what he has to do. Growing up I often thought that he was selfish but all of that is erased now. He proved his unselfishness by making the decision to put his life on the line for the freedom of those he doesn't even know.

I've always gotten a little choked up when I hear a patriotic song or think about the sacrifice that is made by those in the military but this year it's a little different. This time it's close to home and personal.

So to all of you who have served, who are serving or who have a family member serving I say THANKS!!! Thanks for the sacrifice that you are making. If you see a member of the military don't just walk by them stop and say Thanks. If you know someone who has a family member who is serving in the military let them know that you appreciate their special sacrifice. You'd be surprised at how appreciative they are at knowing that we notice what they are doing. Even if you don't support the war, SUPPORT OUR TROOPS AND THEIR FAMILIES!

Got this at the Weekend [Vitalsecurity.org - A Revolution is the Solution]

Posted: 26 May 2008 02:36 AM CDT


...third day? As in, three days after the day I received the mail (which was Saturday)?

Oh my. I can tell you're a pretty dedicated and hardcore Anonymous guy, because of the way you made room for your bank holiday Monday. Can't unleash the Dogs of War online when you're on a three day weekend, eh? Also,



I run joyously towards my destruction, which I have penciled in for a week after "stfu, nubcake". Now hurry up and crawl back into whatever hole you clambered out of before I bury you in it, head first. Thanks.

Visualizing Risk [Emergent Chaos]

Posted: 25 May 2008 02:27 PM CDT

I really like this picture from Jack Jones, "Communicating about risk - part 2:"
risk-images.jpg
Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years). Of course, this raises the question of how we determine frequency, particularly for infrequent events. In the interest of keeping this post to a reasonable length, I’ll cover that another time (soon).
And I'm looking forward to how to Jack says we should determine those frequencies.

One suggestion for improvement: state the timeframe on the chart label: "Loss Event Frequency (per year)."

Zoom! Schwartz! Profigliano! Improv and Real Life [Mediaphyter - A Communications Cocktail]

Posted: 25 May 2008 11:04 AM CDT


About three years ago I convinced myself that I was funny enough to try improvisational comedy. I mean, most people laughed at my jokes, or at the very least laughed at me. Plus no one had ever hurled a tomato in my direction. So I signed up for a beginners workshop at ComedySportz, a “Whose Line is it Anyway?”-style competitive improv group. Not exactly what I originally had in mind (was hoping for a “How to be the Next Chelsea Handler” workshop) but I figured I’d go with it. I’d improvise.

I thought I would show up and some Shecky-type instructor would have me tell a few jokes and immediately rush me in front of an audience. Not quite. Our teacher, an amazing comic named Jeff Kramer, owner of the San Jose chapter of ComedySportz, instead started with teaching us the fundamentals of improv. I was confused. The next thing I knew I was sitting in a chair scribbling notes rather than taking a bow in front of my adoring new fans.

We discussed some critical fundamentals:

  • Always give 110 percent; anything less will make you seem uncertain.
  • If you are going to fail, fail BIG; own your failure and the audience will support you.
  • You must trust your teammate; if you don’t the performance will fall apart.
  • Be fluid, be resilient. Don’t get hung up on an idea. Trust your gut instinct and keep moving.

Finally, Jeff talked about the importance of thinking like children. Don’t get me wrong, he didn’t want me to kick the guy next to me and scream “boys are icky!” (yep, I was that kid). His focus was on the perception differences between children and adults; how an adult will see a jungle gym as bars and rope but a child will see it as a rocket ship. Their minds are unfettered by skepticism and cynicism and therefore they are sometimes better able to be imaginative without being apologetic.

Jeff taught me some valuable lessons that I’ve been able to successfully apply to my improv experiences (I made it through three levels of classes before I got into advanced workshop and started doing shows). More important, however, I’ve been able to apply these rules at work and, to some degree, I also try to apply them to my personal life. It’s not easy - it’s about as easy as doing an impromptu somersault while simultaneously singing “I’m Henry the Eighth, I Am” in front of hundreds of people. Yet worth it once you get that booming laugh or uproarious applause.

That said, I’m going to head outside and build a Delorean out of newspapers.

Why the heck don't I ever have ideas this good? [Emergent Chaos]

Posted: 25 May 2008 01:14 AM CDT

Walkscore.com.

Calculates a location's "walkability" by using Google Maps to figure out how close various amenities (such as grocery stores, public transit, parks, etc.) are.

Not a perfect service, but a great idea.

I Will Derive — Much better than Gaynor’s verision [Srcasm]

Posted: 24 May 2008 02:46 PM CDT

Check out this incredible music video… It teaches an important lesson, has incredible dance moves and brings two nerds to the forefront of the music industry.

Tags: , , ,

Links for 2008-05-23 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 24 May 2008 12:00 AM CDT

The Ghost Of Future's Past: VirtSec Innovation Circa 2002 [Rational Survivability]

Posted: 23 May 2008 11:19 PM CDT

Sixties One of the things I try to do when looking forward for inspiration in solving problems is to ensure that I spend enough time looking back to gain perspective.  I've been thinking a lot about models for virtualization security lately.

As I surveyed the options (or lack thereof) splayed about before me in terms of deployment options and available technology to solve some of the problems I've been researching, I was struck by what I can only describe as a ghost of future's past. 

It shouldn't really surprise me like it does, but I always giggle when reminded of my own favorite saying: "Security is like bellbottoms -- every 20 years or so, the same funny-looking kit comes back into style."

As it is with jeans, it is with security solutions.

I dredged up some of my collected research from moon's ago on the topic and dusted off a PDF that I had completely forgotten about as I was trying to piece together some vague semblance of something that strangely reminded me of VMware's VMsafe.

I cracked a gigantic smile when I saw the authors -- Tal Garfinkel and some guy named Mendel Rosenblum (now co-founder and chief scientist at VMware.)

The PDF in question is titled Virtual Machine Introspection ("productized" as LiveWire) and presents the following case:


Vmidiagram_2
In this paper we present a new architecture for building intrusion detection systems that provides good visibility into the state of the monitored host, while still providing strong isolation for the IDS, thus lending significant resistance to both evasion and attack.  

Our approach leverages virtual machine monitor (VMM) technology. This mechanism allows us to pull our IDS "outside" of the host it is monitoring, into a completely different hardware protection domain, providing a high-confidence barrier between the IDS and an attacker's malicious code.

We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host's state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.

I got to thinking about the relevance of this approach because of some of the arguments that Simon Crosby made in our debate recently.  I wanted to spend some more time thinking about the architectural differences between VMware and Xen so I could try an appreciate the genesis of Simon's comments in context.

This paper and the Livewire prototype was created circa 2002.  It's six years later and we're just now starting to see products and technology being announced as "new and fresh"  that is basically just like Livewire.

While it's certainly not the first and only research on this topic, it's interesting to see that sometimes the wisdom of the past just takes just a little longer to cook before it's fully baked, ready for icing and ready to be consumed.

If VMsafe is an example of the evolution of prior art like Livewire, what else do we have to look forward to that's buried somewhere waiting to come back to life?  Oh wait, those mainframes are coming back, aren't they?  What's old is new again.

/Hoff

{Update: I also found some cool related stuff from Tim Fraser called Virtual Machine Introspection for Cognitive Immunity (kernel rootkit mitigation using VM Introspection) from Komoku which was acquired about a month ago by, gasp, Microsoft...}

Fun Reading on Security - 3 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 23 May 2008 07:23 PM CDT

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #3, dated May 22, 2008.

So my next iteration of fun reading on security, logging and other topics.

Enough for now!

Technorati tags: ,

Leave Twitter Alone! [Mediaphyter - A Communications Cocktail]

Posted: 23 May 2008 07:08 PM CDT


No no, I haven’t gone batty with all of the Twitter Love Day fangirl business. We all fondly remember Chris “Leave Britney Alone!” Crocker from YouTube (and currently in the rockin’ new Weezer video). Today during one of the Twitter outtages, Kevin Bondelli made what I believe is the funniest replacement Twitter 404 message, featuring our favorite obsessively crazed pop princess fan:

Hey Kevin, consider making this into a t-shirt? :)

More Log Management Questions - Answered! [Anton Chuvakin Blog - "Security Warrior"]

Posted: 23 May 2008 06:04 PM CDT

I did this VERY fun webcast with WhiteHatWorld this week and a lot of good questions about log management came up. I am answering them here for my readers. BTW, LogLogic product-specific questions can be found on LogLogic website; I am not answering them here.

 

Q1: Is a preferred log management program to consolidate the log data and then allow us to review them?

A1: The answer is "Yes!" for a vast majority of use cases consolidating logs work better than the silo'ed approach. Also, this will be answered in  longer dedicated post within a few days (link TBA).

 

Q2: Is it feasible to use a log management tool to try to determine whether application events / failures are being caused by infrastructure issues?

A2:Wow, fantastic! The answer  to this is "Yes, if you have the right logs collected." In most cases,  to get to the bottom of such issues requires having BOTH application (e.g. PeopleSoft or Oracle) and infrastructure logs (e.g. Windows or Solaris).

 

Q3: What the typical retention schedule for logs which might be required logs for compliance issues?

A3: I wish I can give a simple answer for this, but there is none. Well, PCI DSS makes it simple: 1 year for logs from in-scope systems. Other regulations are not as clear and the numbers, or - more often! - guesses at such number range from 90 days to 7 years and more.  90 days to 1 year is a common retention policy for security (on the longer side of this range) and operationally (on the shorted side of this time range) useful logs. Check this out for a few ideas for long long you might need the logs.

 

Q4: Once you have logged the events, what do you do with them?

A4: Well, I was about to laugh it off since it truly opens up a Universe of questions, issues, challenges, etc. But here is my attempt at a short answer (like, less than a book :-)): a) you collect the logs and now you can search thru them in case you need to b) you summarize them and notice the trends - overall know what is going in your environment c) you analyze them in real time to trigger alerts on "critical" log messages - failures, attacks, etc.  See this slide deck for some useful pointers.

 

Q5: Why do I create a log policy? 

A5: Log policy is a clear and simple document that show what you log on each system (and why): it helps you to configure logging across all the systems as well as helps to know what information you have in your environment (should an auditor ask, for example). A log policy also defines log retention, log review practices, etc. NIST 800-92 Guide to Security Log Management  [PDF] is a good source of info on this subject.

Enjoy!

Technorati tags: ,

Please read more carefully. [Emergent Chaos]

Posted: 23 May 2008 06:01 PM CDT

A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors


find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce

The folks at Bank Technology News pick up this ball and run with it, proclaiming in a headline:


Study: Data Breach Laws Don't Reduce ID Theft

This is, quite simply, wrong. Absence of evidence is not evidence of absence. Maybe the data just aren't good enough (something we at EC have been complaining about -- and even trying to fix -- for some time).

Since the Bank Technology News article is behind a pay wall, I can't read it. I hope it is more accurate in conveying Romanosky, et. al.'s recommendations than it is regarding their conclusions.

Those recommendations will be familiar to EC readers, and are worth quoting at length:

Proper research on the effectiveness of data breach disclosure laws is hampered by the lack of sufficient, high quality data. Hoofnagle argues that the current collection of identity theft records come from surveys and anecdotal accounts (Hoofnagle, 2007). He claims that current information is not sufficient and that banks and other organizations should be required to release identity theft data to the public for proper research. We certainly agree with this view. To the extent that reporting and other biases can be reduced, it will allow researchers to more accurately measure the impact of disclosure laws. Moreover, we believe that the proper collection of identity theft victimization, and consumer and firm loss data will be a valuable tool for researchers, policy makers and consumers. We therefore join others (Samuelson, 2007) in supporting the following recommendations to policy makers:

• Create a single, federal data breach disclosure law that covers all persons, private organizations, data brokers and state and federal agencies. This single law should reduce conflict between states laws and lower the barrier for compliance.

• Standardize the content of notifications to include only pertinent information (no marketing brochures) that includes actionable information for the consumer (e.g. date of breach, type of personal information lost, and customer support contact information).

• Define an oversight committee to be notified of all breaches. This will create an authoritative source of breach data that can be made available to policy makers, researchers and consumers.

I haven't given this paper the time it deserves, so I'll reserve comment. I've read it attentively enough to know that contrary to what some in the trade press may think, the jury is definitely still out on whether identity theft is decreased by breach laws.


It's Twitteriffic! [Andy, ITGuy]

Posted: 23 May 2008 03:01 PM CDT

I'm on Twitter. I don't use it much. It's mostly a novelty. I use it to converse a little and to see what others are talking about that may be of interest. Sometimes I find good things to talk about in regards to Information Security. This is the main reason that I joined Twitter. A few of my friends from the Security Catalyst Community had accounts and so I thought I'd see what all the buzz was about. Soon after that Jennifer Leggio (MediaPhyter) created a "Twit List" of Security Professionals. It's lovingly called "Security Twits".

I've noticed that the level of participation varies from person to person. Some twit almost constantly. Some twit rarely. Some twit from work, home, school, conferences, birthing rooms, cars, airports, just about any where you can imagine. Some use the web interface while others use IM clients, Twitter clients, or their mobile phone/PDA. The twittering varies also in content. It might be a "I'm currently doing <fill in the blank>. Sometimes it's asking questions, posting links, making comments. Talking about sports, work, anything and everything.

What I've noticed though is that some people tell a little too much information. They seem to forget a couple of things.

  1. There could be lots and lots of people following them who do nothing but "lurk". They don't twit back. They just sit and listen. Who are they? What are the listening for? I know that I've had people "follow" me who are following thousands of people. There is NO way that they can be keeping up with all the conversations. So what are they doing? Are they harvesting all you say for some other reason? Research, information gathering about your company, looking for a way to discredit you, blackmail?
  2. Some people who are at work twit a lot about what they are doing and it's not work. Sure it may be a slow day and maybe the company doesn't mind you doing non-work related things from time to time, but then again, maybe they do.
  3. It's still the Internet which means that once you put it out there it's out there to stay. Remember there is NO privacy on the Internet.

So, my fellow "Tweeples" (as Kevin Riggins likes to say) be careful out there.

Essential Truths in Information Security: Never say "no" [Kees Leune]

Posted: 23 May 2008 01:38 PM CDT

The security guy always says "no" is a phrase that is heard all too often. Unfortunately, it is usually a phrase based on the reality in which people work. Even if it is not actually the case, often people will think it is. Perception is reality.

Information security has a bad name. We are the people who always tell others that they cannot do certain things in ways that they feel they need to do them. Often, we do not even give them real reasons: because that would not be secure is not sufficient. As a child, there is nothing as frustrating as a parent saying: because I told you so.

When addressing requests of users, the most important thing to remember is that an information security professional is a service provider, and service providers never say no. It is in our best interest to keep our users happy, to guide them and to educate them about how to go about certain things. If we really feel that a request is unreasonable, we should be able to convince the requestor of that, and have him withdraw that request himself.

If that does not work, just about anyone in an organization has someone who outranks them. As an information security professional, we need to know who the most senior members of an organization are, and more importantly, the senior managers need to know who we are.

The person saying no should not be the information security professional. Our job is to identify risk, and have someone else decide if that risk is acceptable. Once that assessment has been made, we will design, implement, and operate security controls that are designed to help people do their jobs better.

We do not say no. Business representatives do.

By constantly reminding everyone in the organization that we are not there to make their lives harder by blocking them from doing things a certain way, but that we are there to make their lives easier by providing them with reliable information and with reliable information systems, we will be looked at much more favorably.

Once we get the reputation that we are there to help make things better (remember, perception is reality!) People might even come to us early on in projects to ask for our input when a project is still young.

Essential Truths in Information Security: Execute with precision and excellence [Kees Leune]

Posted: 23 May 2008 01:32 PM CDT

This post's title hardly needs any clarification, and I'll try to keep this post brief. As information security professionals, we generally play a defensive role. Very few of us are given the opportunity and the means to play the game as an attacker. Those of us who do generally enjoy it tremendously and learn a great deal from it. Being a defender is hard; after all, as a defender you need to anticipate all possible attack vectors that an attacker might deploy against you. An attacker, on the other hand, can take the time to do reconnaissance, scan our environment, and analyze his findings. Our defenses are visible before they are put in play, an attack is not. Then, based on the analysis, the attacker can focus his attack on what he identified to be the weakest spot in our defensive controls. As a result, we need to strive to implement our controls (preventive, detective and corrective) as effectively as we can: we must execute with precision and excellence. The same is true for incident response. Once an incident has been declared, we need to ensure that our containment and eradication efforts do not make the situation worse than it already is, and we need to do so quickly. We again need to execute with precision and excellence. If there ever is a place for perfectionists, it is in designing a defensive position.

You can use any vendor you want as long as it's Cisco [Andy, ITGuy]

Posted: 23 May 2008 12:03 PM CDT

Henry Ford's famous quote "The customer can have any color he wants so long as it's black." is echoed by many a network and security manager across the world. "Sure, get me a quote from Vendor X, Vendor Y and Cisco. Then they choose Cisco. Don't get me wrong. I like Cisco but they aren't the best for everything.

This article from Leadership Wired "The Challenge of Change" by John Maxwell. http://www.injoy.com/newsletters/leadership/content/issues/11_8/default.htm#1  spurred my thought process. How many times have you seen a similar situation played out in IT and Security?

In Ford's mind, producing multiple colors was foolhardy since black paint dried the fastest and could be used most efficiently. Amazingly, Ford did not comprehend the human preference for variety. Customers flocked en masse to other producers who catered to their color preferences, and Ford Motor Company never regained its grip on the market.

For so long, Henry Ford had focused on moving from inefficiency to efficiency that he refused to move in the opposite direction - from efficiency to inefficiency - even when doing so would have been wise and profitable. Ford's genius in sparking change had catapulted him to the pinnacle of American commerce, but later, his inability to change cost him dearly.

Often we get so caught up in the mind set that because it's Cisco (I don't mean to pick on them but they are the one that I've experienced this with the most) then it's the answer.

So how do we stay out of this trap and ensure that we are making the best choices for our business. First, we have to (this is getting redundant) know our environment, know our business, know our risk acceptance level, know our technical knowledge level, know what we are trying to protect and from who, know our budgetary limits. Once we have answered those questions then we can start to look at solutions. Evaluate them and make a choice based on what works best for you. If you don't answer these questions and just pick a solution based on who the vendor is, what it cost, it's the "industry standard", or how easy it is to deploy and maintain then you are not solving a problem, you're just wasting money.

It's our job and responsibility to make decisions based on what is best for the company. It's kind of like raising kids. Just because it's on the Disney Channel or Cartoon Network doesn't mean that it's what our kids need to watch. What is appropriate for a 12 year old isn't appropriate for a 5 year old and just because it's animated doesn't mean that it's good for any child to watch. The same goes for what we choose to secure our networks. Just because it's considered 'industry standard' or it's made by a big company doesn't mean it's good for us.

So if you've fallen into this trap step back and take a long, hard look at your selection process and refine it to best meet your needs. If it turns out that you still choose Cisco or whoever you would have chosen by "default" then that's great. However, if you discover that there are other vendors who can meet you needs better then you have a feather to put in your hat.

Sing it shrdlu [Emergent Chaos]

Posted: 23 May 2008 10:39 AM CDT

Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective:

In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned out to be popular if they:

- were used directly by the users
- allowed the users to do something better, or faster, or better AND more securely
- helped reduce the risk of a legal problem

and

In the eyes of the business—the ultimate risk decision maker—the more it affects/helps the users, the bigger the win. So from a practical point of view, they’re using a very different set of risk factors than we are from behind our consoles and our dashboards.

These are both huge points, that highlight the difference between what we as practitioners often think is important and what the business thinks is important. The trick of course is balancing the two correctly. My recommendation is whenever possible leverage adding security by packaging it with a new offering that users want. For instance, at one employer, there was a big push from users to be allowed to move from dial-up to VPN over their home broad-band connections. We gave it to them, but took the opportunity to move from passwords for authentication to tokens. We got almost no complaints from users about it being harder or more complicated because it was bundled with something they really wanted. This had the added bonus, that down the road when we later required it for accessing certain critical systems, it was a well understood technology that people were used to using, so we got very little push-back and got compliments from our auditors for being so conscientious.

No comments: