Besides a very interesting and reasonable question to ask, I was also intrigued by a differnce I spotted between the title of his article and the first sentence in the body.
Specifically, in the title Stuart asked if "Data Loss Prevention [is] Really Possible?" but in the body he asked if it "...is really possible to prevent data leakage?"
In my opinion, these data loss and data leakage are two different issues, albeit with some degree of subtlety. I'm interested in your position.
I will explanin my opinion via an update here once folks comment so as to not color the outcome.
What's your opinion? Loss versus leakage? Talk amongst yourselves.
I am not what you would consider a huge fan of horse racing. The last time I bet on a race was when I was 18 and on of my uncles horses was running and I bet all I had on him, only to see him pull up and stop at the top of the stretch. I guess I was somewhat spoiled growing up though, because during the 70's when I was first introduced to horse racing, we saw 3 triple crown winners.
The first triple crown winner I saw was the incomparable Secretariat. Anyone who saw him will not forget Big Red coming down himself on the stretch of the Belmont Stakes, putting the crowning touch on his triple crown campaign. Five years later, Seattle Slew beat all comers to win the triple crown himself. He was a big impressive horse and a favorite of the crowd. Just the next year, Affirmed won all three triple crown races, each one in a neck and neck battle with Alydar. What series that was, with Steve Cauthen pushing Affirmed to the win each time, but Alydar was the favorite of the crowd. What hearts the both of those horses had!
if you would have told me after Affirmed won in 1978, that I would not see another one for at least 30 years I would not have believed you. But almost every year it seems some horse wins the Derby, is able to hold on and win the Preakness, but then the Belmont, the test of champions looms and they come up short. Either bad breaks, bad breeding or something else conspires to deprive the sport of what it needs to give it a badly needed shot of publicity.
This year it was Big Brown. The horse looked unbeatable in the first two legs of the triple crown. He didn't look too bad early in the race. But at the top of the stretch when he was asked to turn it on, he just had no gas in the tank. He joins a long list of horses who stood on the cusp of immortality, but came up a little short.
I guess we will have to wait to next year or maybe the year after to see if anyone has what it takes. I sure hope I get to see at least one more triple crown winner in my life!
According to this articleT-Mobile is none to happy about Starbucks and ATT offering free wi-fi to customers. They have filed suit against Starbucks, claiming that according an agreement between the three companies, the transition from T-Mobile's pay for access to the ATT free access was supposed to go at a much slower rate, only it seems ATT and Starbucks have rushed things through and T-Mobile is suing mad about the lost revenue.
T-Mobile should have seen this coming. The day the ATT deal was signed, any more revenue T-Mobile ground out of their Starbucks relationship was froth on the coffee. It is hard to beat free.
In my mind, taking Starbucks out of the T-mobile hotspot world, what is left? Some airports perhaps, but increasingly T-mobile is a 2nd or 3rd tier carrier in the US anyway.
I am such a nerd/geek (for a good discussion on what the difference is, check out Brad Feld's article here), that I read this post in Fred Wilson's blog on Zemanta and had to check it out for myself. I am using it on this post and the previous one on Starbucks being sued by T-Mobile.
So far I am really impressed with how Zemanta works. It gives you a whole bunch of content related that you can use on your blog. Pictures, related articles, links and tags. It also makes it easy to reblog. It works right in my Typepad blog editor. The only thing I can think of is that I would like to see it work in Windows LiveWriter and Scribefire, the two blog editor that I use for most of my stuff. But Zemanta is good enough that I don't mind using the Typepad editor to get this functionality!
So what do you think? It is more noise or does it add value? Leave a comment and let me know
I haven't been able to try ConfigCheck out myself yet, but reports from a couple of trusted sources have suggested it's a fantastically useful tool, and you can't beat the price as it's FREE!
Tripwire® ConfigCheckTM is a free utility that rapidly assesses the security of VMware ESX 3.5 hypervisor configurations compared to the VMware Infrastructure 3 Security Hardening guidelines. Developed by Tripwire in cooperation with VMware, Tripwire ConfigCheck ensures ESX environments are properly configured—offering immediate insight into unintentional vulnerabilities in virtual environments—and provides the necessary steps towards full remediation when they are not.
If I have time next week, I plan to give this a whirl, but I'd suggest that if you've already implemented VMware or are planning to, you should make use of a utility such as this...until it's bundled into the platforms themselves ;)
From what I can gather, this is the second year of the International E-Sports Festival, co-sponsored by China and South Korea. This year’s competition will be held in Wuhan, China on 10 Oct 2008. The screen shot above was posted at ief.com.cn/, which is billed as the official Chinese website of the 2008 International E-Sports Festival. The site now looks like this:
A little background on the games:
Planning for IEF was started in 2003 at the express request of China’s central government with the aim of providing positive, culturally appropriate Internet alternatives for Chinese youth. The government decided to pursue these objectives through the China Youth League, one of the most influential organizations in China. Many of China’s leaders, including President Hu, come from its ranks.
In November 2003, ‘e-sports’ was added as China’s ninety-ninth official sport by the Sports Bureau of the PRC’s Central Committee in order to add further importance to the objectives of the IEF. The organizing committee was formed to develop and implement initiatives to respond to the CPC’s constructive vision. Since then, the Committee has successfully developed and staged numerous very popular events under the banner of the IEF.
In January 2007 President Hu Jintao noted the success of IEF and issued policies designed to ensure the continuing development of culturally appropriate content and inculcating within China’s Internet community a culture of positive and innovative attitudes. In April 2007, the Central People’s Committee Political Bureau reinforced this policy by emphasizing the importance of developing a social-network model of Internet use by China’s youth.
Several reports coming out of China are suggesting the attack was carried out because South Korean committee organizers cancelled a promise to open a Japanese area. Furthermore, the hacker appeared to be…wait for it… Japanese. Yeah, the “Turkish hacker Firtina Bozo was here..!!” seems to have been lost on them. That one Hotmail address with a .jp tag must have blinded them to all other things contained in the message.
Just for fun I decided to see if there were other hacks by Firtina Bozo and let me tell you that is one busy individual.
It’s been a while since I posted on the blog and even though I want to think the opposite, there is no acceptable explanation for it .
But I’m coming back by showing the most recent "work" I’ve done in the security arena. A few days ago I gave a presentation about the latest addition to my employer’s portfolio of professional services : Anti-phishing and brand identity.
Apparently Pareto principle applies to anti-phishing and brand identity protection as well: 80% of the tasks take 20% of the time and the rest of 20% of the tasks are done in the remaining 80% long hours.
I’m proud to say we tackle the 20% of the tasks fast. Very fast.
So here is my presentation on "Phishing Exposed, Brands Secured". I made it the same image intensive way like my previous "E-Banking Web Application Security" presentation and I hope you like it
Sourceforge’s2008 Community Choice awards are open for nomination. Voting will begin after the nomination period concludes on June 20th and the award winners will be announced at OSCON on July 24th. If you’re planning on participating, here’s a reminder of some of the the amazing projects that Untangle leverages:
I'm always looking for analogies from the "real" world to figure out what is going to happen in security. The Managed Security Services (MSS) business has been evolving rapidly, so I figured I'd spend some cycles to find a market that has already been through this process.
Drum roll please... I think the best analogy to how the MSS business is evolving is the banking business. I know, I know. Banking is big and it's old (being around since before Methuselah) and how dare I actually compare an emerging security practice to the Brahmin business of banking? Hear me out and then call me an idiot.
The banking structure in the US is segmented into largely three buckets and a bunch of folks that want to act like banks:
Global powerhouses: These are the financial supermarkets, like Citi, Goldman, and Bank of America. They are big, and they offer pretty much everything that a company would need from a banking services standpoint.
Super-regionals: These are the largely US-centric, somewhat focused counterparts. I'm thinking like Wells Fargo and Wachovia. These folks want to be a global powerhouse, so they acquire assets as frequently as they can and they try to offer the smorgasbord of services - but they just aren't there yet.
Credit unions and regional banks: There are a ton of these locally oriented institutions that offer a focused set of offerings, usually geographically constrained. In the US alone, there are over 8500 of these companies.
Affinity offerings: If you are anything like me, you are hammered with offers for a credit card from every company you do business with. These folks aren't really in the banking business (with the exception of Wal-Mart, which does have it's own bank), but they offer banking services. Mostly because they think customers enjoy having like 20 credit cards in their wallets.
I'm sure all the banking readers out there will tell me I'm wrong, which I probably am. But that's how a non-banking type looks at the market. Now how does the MSS business map to that?
Global powerhouses = Big IT MSS: If you've been paying attention, little companies like IBM, AT&T, Verizon, BT (and now HP, through their EDS deal) have substantial MSS offerings. And they are starting to turn the crank, mostly as add-ons to their other offerings. Security is a value-add and these large guys are leveraging existing customer relationships to build significant MSS market share. I know a lot of the other players say "they never lose to a carrier," but in reality, they never see these deals. Smaller companies are not invited to the table.
Super-regionals = MSS specialists: Folks like VeriSign, SecureWorks, Perimeter come to mind. These guys have specialized practices that tend to focus on a specific vertical. They are doing deals to expand their scope because they want to global powerhouses (except VeriSign that is trying to sell that business). They fancy themselves to be nimble.
Credit unions and regional banks = MSS VARs: We are starting to see a lot of VARs dip their toes in the MSS water. Maybe they buy a couple of anti-spam gateways and then they are in the anti-spam services business. Likewise in Web or managing/monitoring firewalls. There are thousands of these guys cropping up, and there will be more - especially as some of the super-regionals start diversifying channels and private labeling their services via the MSS VARs.
Affinity offerings = Vendor SaaS: Any vendor that offers security software is working hard to position their stuff as a "service." They want to smooth their typically lumpy revenue stream and figure customers won't realize the "service" is basically their existing boxes hosted in a co-lo somewhere else.
Others like Microsoft, Google and Symantec, that sort of do MSS type services, but really as a defensive position to protect their existing franchises. Although Google is trying to leverage Postini to break into the enterprise, it's an add-on service on a good day.
So what? I know that's really the question. Well, from a customer standpoint - these dynamics are important. As with banking, working with a Global Powerhouse usually yields a brand cache (which means you don't have to answer why you're buying from them), but not necessarily the most innovative or nimble provider. If you want to have coffee with the guy running your security, you are likely to pick an MSS VAR, that will give you access to whatever you need. But you take the risk of size, viability, and the ability for your provider to scale.
Those looking for specialized knowledge, mostly like vertical, will pick the MSS specialists. Though in the not-too-distant future, you'll see the mid-tier super regionals getting squeezed. They are too big to really pay attention to their customers. But they are too small to compete on a global basis or apply significant pricing bundles that will make a difference to the customer. VeriSign looking to get out of the MSS business is an indication of this trend, and you know the larger independents would take a deal in a hot second if they could give investors back their capital with a reasonable return.
I also believe the vendor SaaS will turn out to be a passing fancy. Sure, it would be great to get an anti-spam service from someone who really knows how to make the equipment work (basically the vendor that build it), but over time they will not be able to get to the scale to make the economics work. Now it's about marketing. Over time, it's about scale.
But the good news about MSS is that you are making a 1-2 year decision. Switching costs are pretty low, so user organizations can constantly shop around and find the best match for what they are looking for.
As anyone who knows me, uh, knows, I am a big Apple guy. Love my Macs, love my iPhone. So like anyone else that is excited about the iPhone, I can't wait for next week. The biggest definitive news that I have seen in the past week that indicates to me that something is coming is this shot from an Apple reseller about boxes that have started to arrive over there.
As a marketer and a security professional, I think I am well placed to make a comment on an area I think this blog will repeatedly come back to.
Segmentation.
Now in marketing terms segmentation refers to finding similarities between members of your existing or targeted market and tailoring the offering to them to ensure you attract and retain the highest number of profitable customers possible.
It seems that the fraudsters have been doing the same:
Now no-one will be surprised to see this of course, especially if you are a security professional.
In fact you probably do "Segmentation" in a way when you assess the risk of fraud for particular systems or customer groups, tailoring the security to where the need is.
So I would suggest if you are a security professional reading this to think about two things.
1) Who within my customer base NEEDS the most security when they are accessing their account?
2) Who within my customer base WANTS more security when they are accessing their account?
As the recent survey from Abbey (Part of Santander banking group) in the UK that said 67% of their customers don't want added security, what about the other 33% that do WANT it? They will be more loyal customers if you are giving them additional benefit.
What percentage of those 100% are high net worth individuals who NEED additional security?
Crackers briefly hijacked hacking tools website Metasploit.com on Monday. Metasploit is an advanced open-source exploit development platform used by most pen-testers. A tool we often mention here on Darknet. On Monday the site was redirected to a page announcing the site was “hacked by sunwear ! just for fun“, as recorded by Sunbelt...
You probably have read about the interesting Comcast domain hijack that took very little technical skill a few weeks ago. Apparently these two hackers were able to social engineer their way to obtain access to the Comcast domain registration account that is being managed by Network Solutions. Once they had access they apparently changed the DNS record of Comcast.net to point to name servers under their control, thus hijacking the domain. For a short time they redirected Comcast users to a web page stating the following:
"KRYOGENICS Defiant and EBK RoXed Comcast, sHouTz to VIRUS Warlock elul21 coll1er seven."
Network Solutions spokeswoman Susan Wade disputes the hackers' account. "We now know that it was nothing on our end," she says. "There was no breach in our system or social engineering situation on our end."
Deny, deny, deny....not surprised at this response since it makes providers like Network Solutions look really bad. Sooner or later all the details about how these guys did it will come out...then the truth will be told.
In the meantime...what can you do to prevent your site from being the next Comcast? Believe it or not...Network Solutions actually has a few good suggestions! Note: this was apparently posted after the Comcast domain hijacking incident...hmmmm...coincidence or not? :-)
Seriously though. I don't blame Network Solutions entirely as many companies forget that domain registrations require maintenance and regular review of the security controls around them. By the way, the Wired article that I mentioned above is a great read...and probably the best article currently out there on the hijack.
Good Morning: Earlier in the week I talked about time flying and the need to prioritize it. I've been trying very hard not to be dominated by my watch or the Gantt chart that floats in my head. Most of my life I've viewed time based upon what I haven't gotten done, rather than what I have. Of course, that is the two ways of looking at the issue, eh? There are half-empty people and there are half-full people. I can tell you it's very hard for a half-empty person to become half-full, though I am working on it every day. After reading the news clippings about Senator Obama becoming the presumptive Democratic presidential candidate, I finally figured out why I've been obsessing about time lately.
Basically, the US ebbs and flows in 8 year cycles. And yes, it seems (at least throughout my adult life) that the ebbs and flows tend to coincide with regime change in Washington DC. So I've been a bit pre-occupied in thinking about the next 8 years. Probably because of the major and significant life events that have happened over the past 8 years.
Just a few little things like bringing 3 kids into the world, buying and/or selling 6 houses, selling a company, getting fired from two others, moving my residence, starting a new business, and probably a bunch of other "minor stuff." I wonder what the next 8 years have in store. I can look at the issue relative to how I'm not where I thought I'd be back in the fall of 2000. Or I can think about how far I've come since the fall of 2000. I'm going to choose to bask in all of my accomplishments for a few minutes anyway.
I know that time flies. It felt like yesterday that I was up all night watching the returns from the 2000 election, while my 3 day old daughter was lying in a bili light to clear up some post-birth jaundice. Now she's almost 8 and a real person with real opinions, dreams, desires, and perspectives. The twins are getting there shockingly fast as well. It's hard for me to imagine the discussion around the dinner table in the summer of 2016, as we are talking about the next Presidential election.
So I won't. I'll just enjoy how time is flying and do my best to enjoy the ride. Have a great weekend.
Photo: "Time Flies" originally uploaded by sergei.y
The enemy of your friend is what? So what? - Outsourcing is happening. That's a fact. Whether it's looking at having someone manage your email servers, your big iron, or all of your development operations - if someone else can do it cheaper and maybe even better, it's worth a look. That being said, given the regulatory oversight and scrutiny on pretty much every business, a little bit of care and due diligence is required before you hand over the keys to the kingdom. This Network Computing article goes over some of the basics relative to putting a potential outsourcer through the paces. I'm not so concerned about the process, I'm concerned to make sure that at least someone asks this question BEFORE the contract is signed. I know of a lot of deals where the implementation and transition of the services are problematic because no one paid attention to data security, until the data was in someone else's hands. Link to this
No, this doesn't make Vista any easier to digest So what? - Not surprisingly, Microsoft Vista's UAC technology, which requires authorization to make O/S level changes in the Registry and to install software, does a good job of stopping rootkits. The product was architected to stop these kinds of intrusions. And it's also not surprising that most of the AV suites suck at rootkits, given that they suck at most things - except finding the stuff we've already seen - maybe. My point is that it's all about the user experience. UAC works, but it's vilified because users hate it. It took 8 years to build that O/S and you're telling me that not one of their focus groups thought the user experience was terrible? Not one? Ultimately Microsoft will fix the issue and make it less obtrusive. You know, kind of like a Mac. (Couldn't resist) Until then, knowing that there is no great desire to move all PC's to Vista, make sure your containment plan is top notch. You are going to need it. Link to this Dealing with those "rogue" devices So what? - I never understood the folks that take a penny-wise and pound-foolish approach to technology. Large companies that make their employees purchase their own productivity tools make me scratch my head. Do they not realize that having to support their remote employees using non-standard technology will cost them more? But that's neither here, nor there. Ultimately these smart-phone things are happening and they are going to show up in your organization. Most likely in your pocket as well. So you may as well start planning and building some defenses and policies to make sure your data isn't at risk and that your support costs don't skyrocket. InformationWeek has a decent article here about how to secure those devices. Simple things like using VPNs and not using Public WiFi. Duh! As I mentioned yesterday, tomorrow's smart-phones (and with next week's imminent announcement of iPhone 2.0, tomorrow is here soon!) are really more like computers than cell phones. So you should treat them like computers and have similar defenses in place. Doesn't seem like brain surgery, but I guess everyone thinks it is. Link to this
The Laundry List
Maybe HD should send the Metasploit download link to all the other jokers at his hosting provider. It's always fun to clean up after some dumb network admin at a co-lo. - Zero Day blog
The only thing that worries me is when folks upgrade their "worry-free" offerings. Hope is not a strategy. So buying something that tells you it's worry-free doesn't make it so. - Trend release
VeriSign adds ArcSight gear to its managed log offering. Guess they missed the case in B-school about how Southwest is the only profitable airline because they manage ONE type of device. - VeriSign release
Fortinet gets ICSA anti-spam certification. The paper says it's 2008, but sometimes I'm not so sure. Seems like a circa-2005 announcement. - Fortinet release
Top Blog Postings
We can't write secure code - so let's give up! Most of the time I really like Stuart King's blog. Given that I'm focusing today's blog ramblings on application security, I thought I'd point to a piece that Stuart did on writing secure code. His point is that basically we can't. Things are too complicated, those damn users just want too much functionality and they want it yesterday. So all the training and tools and other stuff we do is for naught. Good! Now I can sit at the pool for the rest of the day, since it's all worthless anyway, right? Then Stuart basically falls back into the tried and true security mentality of throwing a box (a web app firewall) at the problem. That's a cop-out. First of all, a WAF is not a panacea for application security. And just because users want more and faster, doesn't mean they should get it. Everything gets back to a business decision. If the business decides it's worth the risk to roll an application that has holes, so be it. Just make sure they understand that when the dudes in the radioactive suits come in to clean up the mess. By the way, I'm all for WAF as a supplement to application security efforts, WHERE APPROPRIATE. But to give up the ghost on trying to write secure code because it's hard isn't the answer either. http://www.computerweekly.com/blogs/stuart_king/2008/05/david-lacey-makes-the-importan.html Link to this
Unfortunately most of the world is doing it wrong... Clearly it's not "that" they are doing wrong because world population continues to grow. But as Gunnar points out, thinking of software and security as two separate things is kind of besides the point. Seriously besides the point. GP talks about building a "strong center," and making sure that everyone is pulling in the same direction. It sounds kind of Zen-like, but that's a good thing. I sense a ripple in the Force, and that is letting the bad guys have their way with the applications. Kumbaya, you all. That's the answer, kumbaya. http://1raindrop.typepad.com/1_raindrop/2008/05/software-and-security-separateness---youre-doing-it-wrong.html Link to this
Someone sign this guy to a book contract One of the great things about the blogosphere is that there is no lack of folks willing to share their expertise and help educate the masses about a variety of topics. That is certainly the case in the security business, where Dre has contributed this treatise on software security to the world. It's good stuff and a good background about the issues that are facing software developers as they try to make their code better and less holey. Is that a word? Anyhow, even better is that Dre also references supporting material and other links to help folks continue their educational efforts. I suggest newbies (no, not Newby, but new security professionals) bookmark this post and gradually work through Dre's reading list. You'll be a lot smarter for it. http://www.tssci-security.com/archives/2008/05/29/software-security-a-retrospective/ Link to this
DEMIDS is an early paper on how to detect errant use of a database. As an overview, the paper describes a system where misuse is 'detected' by the use of a distance function. It attributes a set of tables or database functions as the normal domain of a user, and everything that the user accesses outside of that specified domain has some distance factor associated with it. Tables in other schema's are viewed as being a certain distance outside of that domain, and tables in different database further still. The further away a resource is, the more likely there is misuse. It is a basic assumption that the users are sufficiently privileged to perform the access. And it is inherent with the methodology described that the system is closely coupled to the database itself, and it performs the work of detection locally.
It is at the Alert Logic facilities @ 1776 Yorktown, 7th floor, just south of the Marathon Oil tower on San Felipe. It will start at around 6:30pm.
Below is the information on the talk and the speaker. I expect the talk to last about 25 minutes, and then it will be open to questions and comments. We can just let it grow from there.
Thanks to Adam Pridgen for volunteering for this. In the future, if you have something you want to speak on, please let me know.
Michael Farnum
—————————-
Speaker:
Adam Pridgen
Title:
Reverse Engineering Software with Basic Protections
Summary:
The presentation will cover the basics of reverse engineering malware or any other software protected with basic protectors and packers using ImmDbg, IDA Pro, LordPE, ImpRefound, Wireshark, and an IRC server. The presentation will walk through dumping the malware to disk, and then cover the general process I used to identify the command structure, functionality, and required parameters to interact with the malware sample. Bio: Adam Pridgen is an independent security researcher and contractor. Previously, he worked for Foundstone Professional Services where he was involved with code reviews, threat models, penetration testing, among other tasks such as teaching and lab development for the Foundstone’s Ultimate Hacking classes. Prior to Foundstone, he spent a little over five years in the security community working on software development projects, software testing, and in telecommunications for a variety of organizations. Adam’s most notable accomplishments include an MS and BS in Electrical and Computer Engineering and an Honorable Discharge from the US Army.
Angry IP scanner is a very fast IP address and port scanner. It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere. Angry IP scanner simply pings each IP address to check if it’s alive, then [...]SHARETHIS.addEntry({...
This was my first time at the Hacker Halted conference, and it was quite enjoyable. I loved the venue, and the talks were informative.
One major disappointment was that Howard Schmidt didn’t talk as planned due to travel issues. It’s not the conference’s fault, but I thought his talk would be the highlight of the event.
The presentation I enjoyed the most was by Johnny Long on no tech hacking. I missed his talk at Black Hat last year, and finally I got the chance to see it. His presentation skills are excellent, and the talk was very interactive.
Since the conference was ran by EC-Council, the group that runs the Certified Ethical Hacker program, and the conference was called Hacker Halted, I thought the audience would include more security professionals. Instead there were lots of middle managers, entry level IT security folks, and college students.
But I still got to meet some interesting people, and have interesting conversations about information security.
Thanks to Leonard Chin, and Hacker Halted for allowing us to cover the event.
Update: My (limited) pictures are now up on flickr.
Samy Daniel Burd is my new hero. The Record brings the story of a young high school student that, as part of a school project, found a microbe that eats plastic and can be used to decompose plastic bags. This (very) young kid scientist showed that sometimes, different thinking is needed. While others claim that plastic doesn't biodegrade and plastics, like diamonds, are forever, Daniel proved that when it looks like you're facing a dead-end, different thinking is needed. There's always a way to solve a problem.
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader.
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610
It’s been a while since I posted on the blog and even though I want to think the opposite, there is no acceptable explanation for it 
.
Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader.
No comments:
Post a Comment