Saturday, June 14, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

If Rohati is King Arthur, what does that make Stiennon ... [StillSecure, After All These Years]

Posted: 14 Jun 2008 07:12 AM CDT

Stiennon_as_sir_lancelot_2 Sir Lancelot or Guinevere? Hey don't laugh it could happen to you. In the meantime what has Richard so hot and bothered that he is subscribing mythical qualities to Rohati?  It seems they are using a layer 4 to 7 firewall to control access to applications. They call it network based entitlement control.  I wonder how they stack up to Palo Alto Networks and some of the other next gen application aware, access control firewall products.  From what I understand Nevis Networks and ConSentry can do similar things with the firewalls in their secure switches.

Nevertheless Rohati has gotten some good press, albeit with most coverage carping on the fact that they are founded by former Cisco employees (there are enough former Cisco employees to found many companies I would think). I do think that application aware access control is of tremendous value and this technology will find its way into many technologies. It is a logical extension of identity based access control. 

As usual though Richard can't resist taking a few cheap shots at NAC vendors.  In Richards idyllic view of Camelot, somehow performing pre-connect health or integrity tests is the devils own work.  Richard will just admit that these tests have value and people want them.  They do not preclude doing the rest of the job of access control that Richard seems to approve of though.  Alas, Richard and I have danced this dance before though and I am not going to get into the why it is important.  In fact, here is a new tact for you Richard, it is not important. If you are not going to be convinced, forget about them.  Look beyond admission control tests at what NAC vendors offer around access control and you may find similar type of technology to Rohati in the near future. 

Until than though Richard let me paraphrase Merlin from the movie Camelot "Never be too disturbed if you don't understand what a former analyst is thinking. They don't do it very often".

Zemanta Pixie

Mr Bump has a problem with me being frustrated by loving customers [StillSecure, After All These Years]

Posted: 14 Jun 2008 12:26 AM CDT

So my friend Mr Bump has a problem with my post on vendor frustrations with customers. For those who don't know Mr Bump, he writes about "NAC in the real world", originally about his deployment of Nevis Networks product. At first I thought Mr Bump was a pseudonym for Dom Wilde over at Nevis, but over time I actually like some of what Mr Bump writes and he contributes to the security blogosphere in a positive way. I just like to give him crap about his choice of NAC vendors, but it is all in good fun. Plus I actually like and respect Dom Wilde and that kind of unscrupulous behavior is not his thing.  There is another NAC vendor who plays fast and loose like that though and I will be writing more about that this week, so stay tuned.

Mr Bump responds to each of my three points, but before I get to that, let me clear up a few things. First of all Mr Bump says that this is his problem with 90% of all "sales" people. Mr Bump, you obviously have some issues with sales people. Were they mean to you when you were young? Did your Mom like the salesperson sibling better? Do you secretly dream of being a sales person? Just kidding, but seriously, I did not write my article from the point of view of a sales person. Sorry you confused me with one, though as I have said before we all sell everyday, whether we admit it or not. I was writing from the point of view of a business owner, trying to build a solid business one customer at a time. I am not concerned with short term commissions, but building out a solid customer base. This way I can sell the business for a huge profit and you can call me a slimy entrepreneur ;-).

Also, I can complain as a customer, that is my right. Equally so it is my right to complain about customers as well. I guess I can complain about anything I want on my own blog, not sure why that should bother you. Think of it this way. We all wear different masks in different roles in our lives. Sometimes we wear the Daddy mask, sometimes the boss, sometimes the employee, etc, etc. Being one in one situation, does not preclude you from being another in another situation.

Now, on to the show. Mr Bump doubts my sincerity about being upset when a new guy comes into a customer replacing the guy who bought the product and we have to start all over with them. He says I am kidding him. I made my sale and collected my commission and am on my way. Well Mr Bump, I suggest that if that is the kind of security vendors you deal with, find new ones! Any good business person can tell you that one unhappy customer is worth 10 happy ones. It is about building long term customers. That is how you build a business, not about being bandits who come in, rape and pillage, collect the commission and move on. I have known sales people who have sold to the same people over and over again, because they do care for more than the short term commission. I am sorry you can't believe it and you can't see how it frustrates a vendor. But sometimes we will work with a person for months or even years and build a deep relationship. As part of the game, they move on, I get it and that is the way it is. But it is very frustrating starting from square one with the new guy who may have a pre-conceived prejudice.

Next Mr Bump finds it unbelievable that I would care if a product implementation got delayed. Again, this speaks wonders to the kind of security vendors he deals with. It is not about if my resources are committed at all. Mr Bump I can't wait to get you up and running so you can tell your friends and others about what a great product and company you deal with and we can continue building the business. Also, believe it or not I care that all of a sudden a maintenance fee comes up because the time starts running from the date of sale and the customer hasn't even used the product yet. Shelfware is a failure for a vendor. Delaying implementation is the first step to shelfware. Please Mr Bump spare me your "in the trenches and grenades" story. Most hard working people at security vendors or anywhere else for that matter are not sitting around playing foosball either! We all deal with emergencies and priorities. I am keenly aware of the security and network admins job pressures and have tried to build a company that actually makes your life easier. Again, I can only assume you are dealing with quite a bunch of vendors if you feel this way.

Lastly Mr Bump almost agrees with me about using the product in unintended ways. Mr Bump I can put you in touch with people who have done this. You have to remember that unlike your NAC vendor, our stuff is built on off the shelf hardware with open, standards based OS and database, etc. People who are comfortable around a command line and Linux like to play. We don't mind, just realize how hard that makes our support obligations though and don't expect us to fix what you "developed"

So I hope that clears that up. Like I said in my comment on your blog, too bad you didn't pick a better NAC solution you might have a different opinion of security vendors and maybe even sales people ;-)

Trend vs Barracuda - its not about open source, its about the money! [StillSecure, After All These Years]

Posted: 13 Jun 2008 10:39 PM CDT

Interesting interview with the CEO of Trend, Eva Chen at PC World on the Barracuda patent infringement suit that Trend has brought. A couple of things are pretty clear reading Chen's responses to the questions:

1. This law suit is being fought as much in the court of public opinion as it is in the courts of law.  For that Dean and the Barracuda crew deserve credit. They have done a good job of making this a Trend versus open source community suit.  From Chen's answer it seems Trend was taken totally by surprise by Barracuda's aggressive PR and their ability to turn elements of the open source community against Trend.  The pity for Trend is that Chen actually does make clear the difference between just Clam AV being a virus scanner and the way Barracuda uses Clam AV as part of the gateway. If they would stick to that and not about who makes money from it, they might be able to get the open source community to leave this one alone.

2. In Trend's view this is not about open source  but about money.  I think Chen shoots Trend in the foot with this argument.  She seems to say that because Barracuda is a for profit company that is why they are suing them. If ClamAV was making money, they would sue them too is dangling metaphor there. Here is what Chen says, "But we were not suing ClamAV. Barracuda is a for-profit company. They are taking ClamAV, putting it on their gateway and making money out of it. It's not free software that we are suing, it's Barracuda." So it is all about the money than. If ClamAV was making money Trend would sue them too?

3. After already suing and winning against IBM, McAfee and most of all Fortinet, Trend is very confident that their patent is the real deal in a court of law. If the Xie brothers couldn't find anything to throw this out, they are not worried about the likes of Dean Drako.  But as I said, while litigating this Trend is taking black eyes and body shots in the public opinion arena every day.

4. The last thing they want is to get Sourcefire involved in this suit.  You can't tell me that at this stage of the game Chen would not know if they have cut a deal with Sourcefire or not, the owners of ClamAV. Yet she plays as if she never even heard of them and would have to ask her lawyers. I suspect this is because they think that Sourcefire has more open source "chops" than Barracuda and this would turn this thing into a PR disaster for Trend.  It could be this same reason that played apart (I think is the big reason) in Barracuda bidding for Sourcefire.

In any event it will be interesting to see how PR and public opinion play in the eventual outcome of this suit.

Zemanta Pixie

Loving customers frustrate security firms too [StillSecure, After All These Years]

Posted: 13 Jun 2008 07:45 PM CDT

Roger Grimes has a good article up on his InfoWorld, Security Advisory blog entitled "Security firms frustrate loving customers". Roger details some specific examples of how security vendors just don't "show the love" to customers and prospective customers, with the result being lost business. Roger highlights three examples:

1. Making renewals a manual process with those annoying phone trees. I agree, when I hear the press 1 for this and press 2 for this, my blood starts to boil. There is no reason that this just can't be built into the product to renew over the web. Security or no, any software vendor not doing it this is just plain crazy.

2. Calling into a company with a sales inquiry and the sales guy never calls back
. This one just kills me. When doing due diligence on potential acquisitions at a prior company I would call in or email with a sales inquiry and wait to see how long it would take for them to get back to me. It was a good indication of how well the sales organization and company functioned.

3. Killing the deal with one sided, overly legal and burdensome terms. Another one that I battle all the time. The CFO has to be able to recognize revenue so needs specific T&Cs. The lawyers want to protect the vendor against all eventualities and is doing his job. You want to make as few warranties and representations as possible to limit your liability. The result, the customer gets one sided, unfair document with fine print on maintenance pricing, renewals, SLAs, etc. Most customers don't even read the EULA. Take a lot at some of the ones with software you have bought. It may surprise you.

But in my best Fox News voice, lets be fair and balanced. So in that vein, let me give you 3 specific examples of how loving customers frustrate security firms:

1. The guys who picked the product leave and the new guy comes in and doesn't have a clue. This happens all the time, especially in the government. One guy or team buys the product for a specific reason and has all of the expertise. The new folks come in and even if they know your product is there, they don't know why or how to use it. They may feel they inherited this product and have their own favorite product in this category. They can't wait to replace you and either don't use the product at all or blame the problems of the world on it.

2. Buying the product and than "other priorities" delay implementation. A surefire recipe for shelfware. When I see this happening I tell our folks better to be a pain in the butt and force them to use the product they bought than to sit around watching the license expire on the shelf. The longer the product sits, the more it becomes a nice to have, rather than a must have, that drove the sale. Now sure, one can say that what does the vendor care, the customer paid. If he doesn't use it, less support costs. But you don't get renewals, you don't get upsells or referrals without customers using product.

3. Using the product in unintended ways.
Another favorite heartburn of mine. Customers figure just because the application runs Linux underneath, why can"t I run (You Name It). We recently had a customer that was chewing up support hours like the dial at a gas pump today. It turns out the problems we all due to the all of the other software that he had put on the box, not to mention editing .conf files, database tables, etc. It is hard enough supporting the software we developed. It is a whole another story supporting software that you have written.

So Roger, yes the customer is always right and security vendors have to get their act together if they want to survive, let alone compete in these tough economic times. But customers certainly don't make the job any easier with some of the shenanigans they pull.

PCI on Disaster Recovery and Backups [PCI Blog - Compliance Demystified]

Posted: 13 Jun 2008 07:04 PM CDT

Have you considered disaster recovery for your payment systems?  Do you know the only thing that PCI DSS compliance requires you to backup?  David Bergert writes about the basics of how to prepare your payment systems in the event of a disaster.  But missing is the one critical element required for compliance.

The phrase “disaster recovery” does not appear in the PCI DSS.  The phrase “business continuity” only appears once in requirement 12.9.1 as, “[verify that the Incident Response Plan includes a] strategy for business continuity post compromise”.  Instead of referencing disaster planning the PCI DSS references backups.

There are a number of PCI DSS requirements relating to backups, such as:

  • 9.5 “store media back-ups in a secure location”
  • 10.5.3 “Promptly back up audit trail files”

What was that?  The answer is that audit logs are the only thing companies must backup for PCI DSS compliance.  Now, companies will want to continue business and as a result will backup all of their critical systems and corporate information, but this is outside the scope of PCI compliance which focuses on the security of payment card data.

Personal Plug: I'm hiring [Security Retentive]

Posted: 13 Jun 2008 06:50 PM CDT

PayPal's information security team is hiring.

Specifically - I'm hiring an Application Security Researcher.

Primary responsibilities will be:
  • Lead Research on browser security models
  • Research new application security attacks and countermeasures
  • Develop prototypes of security protection mechanisms for browsers and PayPal software to implement and prove application security ideas
  • Conduct web application security assessment
  • Participate in the development, review, and update of application security standards
  • Work with PayPal's SDL group to improve the security of PayPal developed applications
  • Research new development techniques
  • Research new development, languages, testing methodologies, and frameworks to improve the security of PayPal applications.
If you're interested in other security positions we also have open, please go to: http://www.ebaycareers.com/

You can search for jobs with the keyword "security" under PayPal. Brassring makes posting a whole list of positions tricky.

Storming SIP Security - now available just a click away [SIPVicious]

Posted: 13 Jun 2008 05:56 PM CDT

Time to release the hakin9 article to the public. This article was first released in the February edition of the English hakin9 magazine.

Download now (takes you to EnableSecurity).


Added: The listings can be found here.
Thanks for Chris Gates for noticing that I forgot to include the listings.

RECON 08 Day 1 [DVLabs: Blogs]

Posted: 13 Jun 2008 05:42 PM CDT

Posted by Pedram Amini
RECON is a single-track reverse engineering focused conference held bi-yearly in Montreal. The 2008 showing is the third iteration of the conference with hopefully many more to come. RECON is hands down my favorite conference, a sentiment shared by many other RECON attendees. A number of factors elevate this con above others:
  • The talks. The general technical level of the talks at RECON, I feel, exceed most other cons.
  • The size. RECON feels like the perfect conference size. Large enough to bring many smart minds together and small enough to keep it very informal and social. The single-track format allows you to catch everything.
  • The attendees. Lots of industry rock stars gather for RECON. Just looking around the room this morning I see Ilfak, Dino Dai Zovi, Gera, Alexander Sotirov, Rolf Rolles, Nicolas Brulez and Nicolas Pouvesle.
  • The city. Montreal is a great place to eat and to party. The conference organizers know this and start the con at a very reasonable time of 10:30. Plenty of time to close the bars out at 3:00am and get your beauty sleep in.
  • The AV quality. Despite the limited budget and small conference size, the RECON guys put together the most usable and high quality audio / visual recordings of the talks for those of you who couldn't make it to the con. And it's made available for free.
  • The organizers. David, David, Hugo and Guillaume aren't running this con for the money. Every spare penny they have goes towards a bar tab or some other perk. They do a great job putting a family feel on the con. At RECON 06 for example there was a Sunday BBQ at Guillaume's house.
  • The way they treat their speakers.
My whole team attends RECON and we try to participate as much as possible. I spoke at the first two RECON's on Process Stalker and PaiMei respectively. This year I get to relax while my team mates Cameron, Aaron and Ali present on reverse engineering Mac binaries and compiled Python. On to the talks...

Pierre-Marc Bureau spoke about the history and reverse engineering of the Storm bot net. He covered some of the various protection mechanisms the bot agents employ. How they communicate. How they spread etc... Pierre will be releasing a tool for automatic extraction of daily hash search values, for those of you interested in potential network take-overs. This task has been undertaken by another team of researchers and is similar in nature to what Cody and I did with our Kraken analysis. The most interesting discovery that Pierre made in his research was that the Storm authors copied their rootkit technology directly out of Greg Hoglund and Jamie Butlers book and that the P2P functionality is not custom coded but rather utilizes the KadC library.

Bruce Dang is a Microsoft SWI employee and spoke about the Microsoft Office document file format. He covered the file format specification, malicious file analysis techniques, exploitation methods and attack mitigations. He noted that a common shellcode technique for determining the current file handle is through a brute force loop calling GetFileSize() and comparing against a known file size. For a quick and dirty way to skip the vuln repro and execute the shellcode one can dump it to a file, open the file with notepad and force execution of the shellcode with a debugger. This will satisfy the file handle brute force loop. As an interesting attack mitigation, Bruce recommends running all documents through MOICE which will convert the binary file format into an XML doc. Granted, this assumes that MOICE doesn't have any bugs of its own.

Ilfak Guilfanov is a name that almost anyone in the business has heard of before. Ilfak is of course the creator of the industry standard disassembly tool IDA Pro. David Ahmad made a funny and true comment that everyone loves Ilfak as both attackers and defenders, white hats and black hats all use IDA. Ilfak began with an overview of the IDA architecture and IDB file format. He then focused the remainder of his time discussing the construction of plugins. During the Q and A section of his talk he mentioned some of the upcoming features of the soon to be released version of IDA. The biggest improvements he mentioned are in the debugger component. The debugger is now more robust in the handling of multi-threaded targets, furthermore the debugger server is now multi-threaded itself allowing for multiple simultaneous debug client connections.

Thomas Garnier spoke on Windows privilege escalation via LPC/ALPC. Most unfortunately I missed this talk. Sorry Thomas.

Nicolas Pouvesle, the machine of a man that he is, silenced the crowd with a walkthrough of the creation of (the worlds first?) remote Netware kernel stack overflow exploit. There were many hurdles to jump, but in the end he demonstrated a pair of fully functional exploits capable of popping a shell and creating an arbitrary super-user. Amazing work.

Cameron closed out the day with an intro talk on reverse engineering MacOS binaries. Not a lot of focus has been placed on MacOS X vulnerability hunting but that will certainly be changing in a short time. Apple is far behind Microsoft as far as OS level security protections are concerned; couple that fact with the constantly increasing OS market share that Apple is grabbing and you'll start to see more and more researchers migrating to Apple security auditing. Cameron covered the various file formats, application bundle structures and basic OSX reversing tools necessary to get started. He also spoke on reverse engineering Objective-C compiled binaries which present a unique set of problems in comparison to other compiled binaries specifically in that functions aren't called, rather messages are passed and therefore cross-references are non-existent. Naturally, scripts to solve this hurdle were presented. A positive benefit of Objective-C compiled binaries is that symbols are all preserved. This is especially helpful when there are Mac/Windows released software, you can augment your Windows binary reversing by pulling the symbols from the Mac version.

That rounds up the first day. There is a conference party tonight where a series of 5 minute lightning talks will be presented with of course the standard night time activities to follow.

MindshaRE: Looping in Assembly [DVLabs: Blogs]

Posted: 13 Jun 2008 05:33 PM CDT

Posted by Cody Pierce

MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.

After the entry last week comparing source to disassembly I thought it might be a good idea to cover some basics.  Often when learning how to read assembly is helps to take source code, compile it, and then look at it in your disassembler of choice to get an understanding of how a language looks in its final form.  By doing this you can pick out common patterns in assembly quickly.

So for today we are going to look at loops in assembly.  In particular these are the 3 looping constructs available in C, for, while, and do while.  For each one I will give a brief explanation and a comment about the loop being used.  I have included the source, disassembly, and screenshot of the diassembly using the IDA graph view.  I know a lot of people detest the IDA graph view, but for loops it is very handy and I use it religiously to quickly see code flow in loops.

All of these examples have been compiled with the Microsoft compiler version 15.00.21022.08.  No optimization or debug flags have been used.  For the curious try and compile your own with various optimization and debug flags.

Source: for_loop.c

printf("I am executing loop\n");
for (i=0; i<256; i++)
{
    printf("I am executing %d\n", i);
}
printf("I am done executing loop\n");

Binary: for_loop.exe

00401018  mov     [ebp+var_4], 0
0040101F  jmp     short loc_40102A
00401021  mov     eax, [ebp+var_4]
00401024  add     eax, 1
00401027  mov     [ebp+var_4], eax
0040102A  cmp     [ebp+var_4], 100h
00401031  jge     short loc_401046
00401033  mov     ecx, [ebp+var_4]
00401036  push    ecx
00401037  push    offset aIAmExecutingD ; "I am executing %d\n"
0040103C  call    printf
00401041  add     esp, 8
00401044  jmp     short loc_401021
00401046  push    offset aIAmDoneExecuti ; "I am done executing loop\n"
0040104B  call    printf

Screenshot: for_loop.jpg





Anyone familiar with programming has surely written a few thousand for loops.  Our tell-tell sign is the initialization of the counter variable used in the for loop before the actual loop test.  In our case we are setting a local variable "i" to 0.  This can be seen at .text:00401018.  Looking at the graph view allows us to quickly see our comparison to 256 and the branch to either continue execution or terminate.  It also allows us to see the "add eax, 1" (AKA i++) before our next iteration of the loop.

Source: while_loop.c

printf("I am executing loop\n");
while (i < 256)
{
    printf("I am executing %d\n", i);
    i++;
}
printf("I am done executing loop\n");

Binary: while_loop.exe

00401015 add     esp, 4
00401018 cmp     [ebp+var_4], 100h
0040101F jge     short loc_40103D
00401021 mov     eax, [ebp+var_4]
00401024 push    eax
00401025 push    offset aIAmExecutingD ; "I am executing %d\n"
0040102A call    printf
0040102F add     esp, 8
00401032 mov     ecx, [ebp+var_4]
00401035 add     ecx, 1
00401038 mov     [ebp+var_4], ecx
0040103B jmp     short loc_401018
0040103D push    offset aIAmDoneExecuti ; "I am done executing loop\n"
00401042 call    printf

Screenshot: while_loop.jpg



The while loop is a much simpler loop to look at because it does not have the intrinsic ability to initialize data being tested.  In our case we are again checking to make sure our counter "i" is less than 256.  As previously mentioned in a while loop we do not see the initialization of the counter before the loop begins because it is up to the programmer to prepare any tests being measured in the loop.  As you can see in the graph view we also have less basic blocks.  This is because the compiler is not incrimenting our counter for us.  Instead it is compiling our code into a single basic block.  An astute reader will notice that by using a while loop we save a branch instruction.

Source: do_while_loop.c

printf("I am executing loop\n");
do
{
    printf("I am executing %d\n", i);
    i++;
} while (i < 256);
printf("I am done executing loop\n");

Binary: do_while_loop.exe
00401018 mov     eax, [ebp+var_4]
0040101B push    eax
0040101C push    offset aIAmExecutingD ; "I am executing %d\n"
00401021 call    printf
00401026 add     esp, 8
00401029 mov     ecx, [ebp+var_4]
0040102C add     ecx, 1
0040102F mov     [ebp+var_4], ecx
00401032 cmp     [ebp+var_4], 100h
00401039 jl      short loc_401018
0040103B push    offset aIAmDoneExecuti ; "I am done executing loop\n"
00401040 call    printf

Screenshot: do_while_loop.jpg



The do while loop is obviously similar to the while loop.  Except for one very important distinction, the lack of a check at the top of the loop.  This means we will always execute code at least once, then check for our condition.  Once again going to the graph view shows us the loop is happening in a single basic block.  Our code is executed, our counter is incrimented, and then our check against 256 happens.  Again those paying attention to potential optimization will notice the do while in this case only hase a single branch instruction.

I hope this has been a handy example of loops in assembly.  Obviously in the real world looping in general is much more complex.  However, they all share the same test and branch logic as these examples. Try and spot some loops in other binaries you may have.  Maybe in future weeks we can revist this and see how other language features compile into assembly.
 

Podcast Episode Six [Random Thoughts from Joel's World]

Posted: 13 Jun 2008 04:04 PM CDT

As always, for your enjoyment, we have published Podcast Episode Six of the Internet Storm Center Podcast.

I'd like to thank all the viewers that were live on the show while broadcasting, it was great having you, maybe next time we'll be able to get more?

We again, had Larry Pesce of PaulDotCom Security Weekly.

Go grab it through iTunes.

As I said in my after-show notes, subscribe to PaulDotCom and our show through iTunes, that way together, we can become more powerful than you can possibly imagine.

Subscribe in a reader

Why we chose small business [untangling the future...]

Posted: 13 Jun 2008 03:58 PM CDT

I recently enjoyed reading SpiceWorks’ recent blog on why they chose to target the small business market. They clearly understand the S in SMBs and their buying behavior, which is crucial if you’re planning on attacking the small business market. I thought I’d follow up with a similar post explaining why Untangle targets small business.

Similar to SpiceWorks, we noticed a “hole” in the market for IT services and technologies for small business. Enterprise space was saturated with vendors. Given their dedicated IT staff and large budgets, they were the first obvious choice to target for technology companies. Consumers also had some good solutions. Given their massive volume and simple IT setups (one machine) made it a lucrative market to attack with software applications. SOHO (single office/home office) only had a few machines, so usually just borrowed consumer solutions and installed them on each machine.

Small business, on the other hand, was far behind on the adoption curves of most solutions. The problem was that most solutions available don’t fit the requirements for SMB. Small business are too big to borrow consumer solutions yet much too small to afford the enterprise solutions. Why weren’t small businesses who suffer the same pain as their larger enterprise counterparts adopting these solutions? In a word - ‘friction.’ There is simply too much friction associated with the adoption of these solutions.

Friction of adoption comes in many forms, usually high cost, high complexitiy, or large time requirements. If you look across the board at IT solutions (Anti-Virus, Spam Filtering, Email Server, Backup, VOIP, Firewall, Web Filtering, etc etc) you’ll notice that small business’s adoption is inversely related to the friction associated with adopting the solution. They simply don’t buy expensive or difficult solutions, and this usually leaves them out in the cold. They don’t have the money that enterprise does so they can’t adopt those solutions. They don’t have IT staffs and they can’t take the time away from their business to learn and deploy complex solutions so they can’t adopt the multitude of open source solution available.

Untangle was born because here was a large segment with acute IT pain that stood to benefit greatly from a IT platform designed to frictionlessly deliver them IT services and solutions. The platform delivers these solutions in an easy and free manner and opens the flood gates such that small businesses can finally adopt all the technologies they need. Untangle stands to benefit from the wide distribution of our platform by leveraging that channel to deliver future IT services and solution, but our first goal is to solve small business’s problems in order to get that massive distribution.

GRC - Love it or hate it [Andy, ITGuy]

Posted: 13 Jun 2008 02:43 PM CDT

Last week I received an email from a marketing firm wanting to know if I'd like to talk to Symantec about IT GRC and an upcoming announcement that they were going to be making. Usually I ignore these emails because my blog is NOT an advertisement for vendors. It's my place to voice my thoughts, good or bad, on technology and security. I try to stay as focused as possible and not get off on tangents regarding politics, religion, personal life, food, or anything else. That includes free advertising for vendors. Plus, I usually am not that interested in talking to marketing people about their product. If I want information on a product I want to talk to the engineers that designed it and support it. Not the marketers and sales guys.

Anyway, since I do have an interest in GRC and like the concept of it I decided to take the bait and have a conversation with them. So we scheduled a time and spent about an hour talking about what Symantec is doing in the GRC space. Of course they have a product that helps manage and maintain your program and that was they jest behind the conversation. They let me in on the announcement that they were making on Wednesday of this week and we had a good conversation. Then they invited me to sit in on a conference call of Wednesday this week where they were having a round table discussion about their offering and getting ready to make their big announcement as part of their Vision Conference. I wasn't sure if I'd get to because of the audit that we were having but I did find time to join in on the call. In preparation for the call they sent me an advance copy of the announcement and a report on IT GRC.

I tried to be a good blogger and read the report before the call but just didn't get the time to do more than skim it quickly. It looked interesting and like it had some good information in it, but I just didn't get the time to really read it. Then the time for the call came and I dialed in, pen in hand (my new Cross fountain pen that I LOVE to write with) ready to take notes and hear some good stuff regarding GRC. Of course you know that didn't happen. I was tired from lack of sleep and 2 1/2 days of audit and my mind wandered. I kept trying to bring it back and just as I'd get focused someone would talk who wasn't close enough to the mic and I couldn't hear them very well and I'd fade again. After about 45 minutes I gave in and hung up.

Today I see that Neil Roiter over at Search Security has a write up on the report and the Symantec Round table. You can check it out if you have any interest in what the report or Symantec has to say regarding this. There are a couple of things that I want to point out myself. It seems that the report seems to validate many of my thoughts regarding IT GRC. Mainly that it isn't about technology but about process. The longer I work in IT and especially dealing with security and compliance the more I appreciate how effective good processes can be in your program.

Here are the things in the Search Security write up that I really like. My comments are in blue.

  • The panel identified bridging that gap between senior management's business goals and IT operations as one of the keys to a successful IT GRC program, especially in complex global business environments with disparate regulatory requirements and a wide range of costs in different parts of the world.  No program is going to work if there is not an understanding between the business and IT as to what needs to be accomplished.
  • "A framework is a framework is a framework," said KPMG's Lesser. "It's taking the key portions and figuring out what are most important to your organization; what are the outside threats, risks and vulnerabilities that you need to consider, and what is going to provide the most value to your organization; defining a framework based on these industry standards that really fits your specific needs." This is so true. There are several good methods that work equally well. It all depends on what works for you and your organization. As long as the business agrees across the board what they are going to use they can all be equally effective.
  • Implementing automation tools, the panel agreed, was the last step in building IT GRC in an organization. See my post here for my thoughts on this.

  • "The poor approach is to say we're going to do IT GRC, and there are some automated tools available," said ISACA's Hale, "and let's implement these without really understanding what GRC is, what their objectives are, who's going to use the information, and how does it support their decision making." Unfortunately this mind set isn't limited to GRC programs. Tools can't fix everything and without good process and policy to back it up they can't really fix anything.

  • "There's no finish line with IT GRC; it's cyclical because the risks, and the threats and the landscape outside is constantly going to be changing." There is no finish line with much in technology especially security and compliance. If you ever get to the point where you think you are finished then you are likely to quit paying attention to it and you will end up in worse shape than before you started.

Verizon Data Breach Report: IT Admins Biggest Culprits [Infosecurity.US]

Posted: 13 Jun 2008 01:57 PM CDT

Wired’s ThreatLevel blog writer Kim Zetter announces and analyzes a newly released Verizon (NYSE: VZ) Business Risk Team report detailing 4 yours of security and data breach incidents. Surprise, surprise, IT Administrators, based on the reports finds, are shown to be the single largest group of perpetrators of breach related activities. Report links will download the [...]

Securify: Microsoft ActiveDirectory Vulnerability Permits Denial of Service Attacks [Infosecurity.US]

Posted: 13 Jun 2008 01:33 PM CDT

Securify (founded in 1998 by former Netscape chief scientist Taher Elgamal, Ph.D., now CTO at Tumbleweed Communications) information security researchers John Guzik and Alex Matthews discovered an vulnerability resident in the Microsoft (Nasdaq: MSFT) ActiveDirectory infrastructure LDAP variant in late December 2007. The patch for the vulnerability was made available to [...]

Shimel's rules of business development and negotiating - Keep your eye on the prize [StillSecure, After All These Years]

Posted: 13 Jun 2008 12:39 PM CDT

One of my favorite responsibilities at StillSecure is business/corporate development.  The biz dev role is something I have done for a long time for several companies. Having a decent grasp of technology, insight into business and my legal training have helped me to conclude many successful business deals over the many years I have been at it. Over the years I have also had the opportunity to work with many good people on both sides of the table, as well as the chance to help train many good people.  Some of the things I have tried to teach others and that I myself try to remember in negotiating business terms are:

1. Win-win - I know it is such a cliche, but it is also still true.  I have seen so many people from attorneys, to entrepreneurs to other biz dev people try to "beat" the other guy.  You may put one over on the other side and get favorable terms in your agreement, but ultimately if doesn't work for the other side, all of the agreements in the world won't make it work for you.  The most successful deals I have been involved in have been ones where both sides feel that they are getting real value out of the deal.

2. Don't think you are smarter than the other guy - How many times have I seen this vain attitude ruin deals.  Everybody sitting at the table puts their pants on one leg at a time.  Don't think that you are so superior or more intelligent than the other side. They usually are perfectly capable of seeing exactly what you are really driving at and trying to outsmart them again will wind up with a lose-lose.

3. Its not the battle, but the war that counts - One of the things I disliked most about practicing law was dealing with other lawyers.  Every single point of every single agreement could become a knock down, throw down battle to the death, as each side tried to show that they were the better attorney on each point.  Its not about winning any given point, its about getting the deal done.  Unless a particular point is truly a showstopper, you have to remember the big picture of what you are trying to accomplish.  Too many times I have dealt with people who seemed to keep a running tally of how many points they got their way versus how times they gave in.  Is the deal in total a good deal, accomplishing your goals the real scoreboard.

4. Theory is fine, but go for the meat and potatoes -  I have seen so many deals drag out because a particular point is taken to a theoretically possible, but highly unlikely scenario.  Good legal drafting practices says you should try to plan for every eventuality.  But because a corner case of a corner case is remotely possible, don't throw away a great opportunity.  Try to draft around that remote possibility.

5. Put as much effort into the success of the relationship as you do in negotiating the contract.  I have been involved in some deals that by the time the agreement is agreed to, one party or the other is spent and just seems to lose the momentum to carry the relationship beyond the contract.  The contract is the beginning of the business relationship, not the end.

6. Put yourself in the other guys shoes - Empathize with what your colleague is thinking and feeling. Understanding their needs, motivations and state-of-mind can help understand what it will take to reach an agreement.

Of course every deal is different, but remembering these rules will serve you well every time.

EU decides to keep ineffective agency around to watch pwnage [Security Karma]

Posted: 13 Jun 2008 12:37 PM CDT

From the "We Gotta Look Like We're Doing Something" Desk.

The EU is keeping ENISA around for another three years to keep an eye on the networks in Europe and to answer questions as entire countries are crippled (Estonia where you at?) by DDOS attacks and hacking, pirating, phishing, etc. go on unfettered. What we can expect from ENISA is more great quotes like "The need for secure networks, systems and services will certainly not suddenly disappear in 2012," from Andrea Pirotti the Executive Director of ENISA. Well said sir, well said.

I feel safer already... until 2012 that is.

Interesting Information Security Bits for June 13th, 2008 [Infosec Ramblings]

Posted: 13 Jun 2008 10:31 AM CDT


Good morning all. Here are today’s bits.

From the Blogosphere.

Via Alex Eckelberry, Brian Krebs has a note up about a nasty trojan that can change the DNS settings on your home router. Make sure you change those default passwords.

Adam shares with us that the Department of Justice has release a new reportData Breaches: What the Underground World of "Carding" Reveals.”

Jeff Jones brings to our attention a new installation option available in Windows Server 2008, Server Core. Based on his first analysis, this type of install significantly reduces the vulnerability footprint of Windows Server. He will be providing further guidance. Very interesting stuff.

Shrdlu gives us Information Security in 60 Seconds. Succinct and to the point.

The Guerilla CISO has some observations on security services as commodities and the implications of such how those services are provided. Something to think about.

Paterva has released a community version of Maltego v2. I found out via CarnalOwnage.

From the Newsosphere.

From Networkworld and The Times of India, looks like there has been a case of an Indian outsourcer stealing client data and selling it to competitors. It was only a matter of time before it happened.

From The Register, looks like the XSS monster has raised its ugly head at McAfee, Symantec and VeriSign. Orginal article at XSSed.

Informationweek informs us that a network engineer in San Diego has been sentenced to more than five years in prison. Another reminder about the insider attack.

CIO brings us a discussion about whether or not virtualization can improve security or not.

Via Dark Reading, PGP has added pre-boot authentication to their full-disk encryption solution.

The Register tells us that there is a security flaw in a populare piece of software used to manage SCADA systems. Not good.

That’s it for today. Have a great Friday.

Kevin

Technorati Tags: , , , , , , , , , ,

British hacker faces extradition hearing [Vincent Arnold]

Posted: 13 Jun 2008 10:21 AM CDT

By Jeremy Kirk, IDG News Service
June 13, 2008

Gary McKinnon could become the first British hacker extradited to the U.S. for allegedly deleting data and accessing information on U.S. military and NASA computers

British hacker fighting extradition to the U.S. on computer hacking charges is preparing for his final U.K. appeal on Monday in London.

If Gary McKinnon loses this appeal, he would be the first British hacker extradited to the U.S. He could face up to 60 years in prison.

McKinnon, of London, is accused of deleting data and illegally accessing information on 97 U.S. military and NASA computers between February 2001 and March 2002. He’s been charged in U.S. District Court for the Eastern District of Virginia.

McKinnon admitted to using a program called “RemotelyAnywhere” to hack into PCs late at night when employees were gone. His hacking exploits started to unravel after McKinnon miscalculated the time difference between the U.S. and U.K., and one employee noticed their PC was acting oddly.

Read More

Thinking About “Unconferences” [RSA Conference - Blog]

Posted: 13 Jun 2008 07:15 AM CDT

My secret to successful trainings [Roer.Com Information Security - Your source of Information Security]

Posted: 13 Jun 2008 06:38 AM CDT

To facilitate training processes are something I truly enjoy. Particularly when I can enter a class where the energylevel is low, and the participants expects to be handed tasks to work with.

When you enter the room, you feel their lack of motivation. And no motivation usually means a tough day for both participants and the trainer. And if you want people to learn new skills, and hopefully to change their attitude towards the subject, you need them to be motivated.

This is particularly true when training security and user awareness. People act if the topic is as interesting as a piece of dead wood. I believe you me – I do not want to be that piece of wood!

Thus, one of my main focuses during a training is to build; and keep; the energy level high.

This can be done by using groupexercises, open discussions and by sharing of your own crazyness (and boy, can I be crazy!)

I build an environment where it is safe to ask questions and to wonder. A group where they support and help each other – even when I am no longer there. Because only when the motivation and fun is present, can we focus on knowledge transferal. Where the participants get their learning experience. Where the actual message is conveyed, understood and put into use.

 

So now you know my secret to giving successful trainings!

I’m back [Security Balance]

Posted: 12 Jun 2008 06:00 PM CDT

I’m back. OK, almost. Today I spent two hours reading lots of accumulated RSS news, blog postings and others. I was glad to see that nothing very exciting happened during the last weeks, when I was moving to Toronto and wasn’t able to follow the news and post on the blog. Now my life is slowly getting into something we may call “routine”, so I think it’s time to resume the activities of this blog.

First, it seems that there are some good stuff from Mogull and Schneier. I’ll read their posts as soon as possible to see if there is something I can add about.

Today I went to Infosecurity Toronto. I was impressed on how small the exhibition was. Someone told me that the owners of the event did something weird on the marketing side, starting the negotiation of space and sponsorships too late. However, it was good to go there and take a quick look into the local security market. As always, conferences are those places where there are lots of vendors and not a single customer :-)

I’m still looking for a job here. I’m having some good conversations with some pretty interesting companies, I hope to be employed by the end of this month.

One interesting thing to mention here is that during my last week in Brazil I was hacked. Yes. I’m not ashamed to say that, specially because I’m aware that security professionals draw more attention from potential attackers. What happened was that I made two mistakes related to my personal password management “policy”. I was using the same password to services supposed to be less low-risk to me. The first mistake was to consider 3 services that have higher risk implied as “low risk” (actually, I couldn’t even remember I was using that pwd on them - it was something very automatic for me) and the second was to use that password on a very target and potentially insecure service. There is a small group of self-called “hackers” in Brazil that are trying to cause problems to the key names of Information Security of the country. Unfortunately, I am on that list. As I was caught in the middle of my relocation I was unable to follow a lot of incident response procedures I would like to, but I’m also aware that some of the others that are being targeted by this group are doing that. I won’t even talk too much about it as it seems that what they are really looking for is that people talk about them. This, however, is interesting as a reminder for me that as a security professional I need to be a little more paranoid about security on my personal stuff.

That’s all for now. I hope to able to find more interesting stuff to write about again. I’m keeping my personal “in portuguese” blog updated with my impressions about my new city, but this one needs some special care too. I’ll try harder.

Peach 2.1 BETA3 Released [Security-Protocols]

Posted: 12 Jun 2008 05:40 PM CDT

This new beta includes a lot of changes and makes Peach feature complete for the 2.1 release coming in the next month or so. There are lots of changes in this release. Michael has renamed -> and ...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

The Daily Incite - June 12, 2008 [Security Incite Rants]

Posted: 12 Jun 2008 11:38 AM CDT

Today's Daily Incite

June 12, 2008 - Volume 3, #56

Good Morning:
First things first, I need to send a shout out to my Dad. Today he turns 65. Happy Birthday!!!! Yup, he's no spring chicken anymore - but that's OK. I'm sure he likes to think he's getting better with age. I can say I hope that my kids learn as much for as long from me, as I have from my Dad. Even today I find that I learn new stuff from him all the time, which is quite a feat since I already know everything. Evidently he knows more.
You are no spring chicken!
But as we all pass milestone birthdays (I have one coming up in October as well), you can't help but think about your legacy. What is it that you are leaving behind in your wake? If you have kids, it's easiest to look at them as your legacy - but it's more than that. Have you influenced the folks you spend time with? Your colleagues at work? Your friends? People you don't even know? Most of us don't ask those questions. Mostly because we don't want to know the answer.

They say to live today like it will be your last. Carpe Diem. Blah blah blah. I'm not sure I buy that anymore. I'm thinking I want to think about what kind of impact I can have over decades. You can't change the world in a day or even a week. But over a decade? Maybe. I know, that's a bit arrogant to think I can change much of anything by being a talking head and writer about something as arcane as information security. But you have to start somewhere no?

For a long time, I treated my career and my life as a sprint. Run fast. Run faster. Never satisfied. It made my hair gray and my general attitude pretty damn grumpy. Maybe it's better to think about things as a marathon. What is the long view of what you want to accomplish in the short time we are here? Do you have a plan to get there? Can you be flexible enough when that plan doesn't work out?

This line of thinking extends to the courageous decision that Bill Gates made to step down from his "job" at Microsoft and focus on his foundation. Talk about a legacy. A lot of the tech trade are doing retrospective pieces about Gates' impact on technology and society, and that is all good and well. But I don't think the guy is quite done yet. In fact, I think his most impactful work is yet to come.

I remember the old saying from Spider-Man: "With great power comes great responsibility." I'm not sure I know of truer words than that. We all have our own power and with that power comes responsibility. It's easy to get mowed under the responsibilities of the day, but every couple of weeks you really should peel off for an hour or two and take the long view. Use that time to determine which course corrections are necessary. If you don't, the time just flies and you end up where you end up. I don't want to look back and found I've squandered my own power. But that's just me.

My Dad is 65 today. My Mom is there too. I hope they are happy where they are. They should be. They've both accomplished much (not like Bill Gates, but a lot), and should be proud. Now I think I'll get back to work and keep chipping away at my own legacy. Whatever that turns out to be. Have a great weekend.

Photo: "Spring Chicken" originally uploaded by themuuj

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

You know you are a redneck security professional when...
So what? - Roger Grimes tries to add some levity to what is a pretty downtrodden profession in his column last week. It's structured as one of those Jeff Foxworthy type bits, "you know when you are a security professional when..." Some are pretty funny and a few I certainly can empathize with. But part of this entire idea of being a "security professional" is besides the point of what security professionals need to evolve to. I ask a lot of folks who happen to be practitioners whether they are security professionals. Most answer yes, almost immediately. They are then shocked when I tell them they are wrong. Tomorrow's security professional is not a security professional at all, not in the sense that we think of security practitioners today. They are business people, who happen to help protect the critical information and systems of the organization. Yes, it's a nuance. Yes, it's mincing words. But the perspective and the philosophy are important. We serve the business. We don't chase hackers. Sometimes we get to chase hackers to serve the business, but we can NEVER forget who we work for and what we do for them. But to jump on Roger's idea: You know you are a security professional when you are happy that jackass from LifeLock got his identity stolen. Serves him right for running that advertising campaign publishing his SSN#.
Link to this

How do you say "oh, crap" in Hindi
So what? - It was just a matter of time before a huge data breach from an off-shore outsourcer came to light. I'm sure the one mentioned this week in NetworkWorld isn't the first, but it does remind us about the dangers of these new collaborative business processes. The reality is that outsourcing is happening, and there are risks there. Too many risks to do something? Probably not, but risks that should be considered. You should be looking at the security infrastructure of the outsourcer as part of the diligence process. But can you really avoid something like this? In reality, this is no different than an unscrupulous insider stealing stuff and selling it to the competition. Why is an outsourcer different? You need to consider them part of your extended enterprise, and protect things accordingly. This is another critical reason why we need to start thinking about security from an inside-out perspective (starting at securing the data), as opposed to just an outside-in viewpoint. We pay a lot of lip service to the insider threat, but most of the technologies and tactics used to deal with it are just the same crap we did on our perimeter, inside the network. If you are looking for the next place to disrupt the security apple cart - look at the data. That's where the next wave of security innovation needs to be focused.
Link to this

Yes, but will it stop a Wolverine?
So what? - It seems the folks at Ohio State have discovered a means to more effectively control the spread of a mass-proliferating worm. Evidently by quarantining devices that try to do 10,000 scans, you can dramatically reduce the impact of an outbreak. First of all, when was the last self-proliferating worm spotted in the wild? A new one? I can't even remember. Code Red was like 7 years ago and SQL Slammer was 5 years ago. It seems that most attacks today are focused on remaining low and slow and not being detected. Taking over a machine and blasting out 10,000 scans probably isn't a good way to stay under the radar. Although the general concept does make sense, but I can't say it's really new. I figure the NBAD folks have some good data about how they monitor the network and can find a bad actor way before they send out 10,000 scans. But forgive my transgression, I know we wouldn't want to inflict real life on an academic study.
Link to this


The Laundry List

  1. Deal: Perimeter buy Edgeos, figuring why should Qualys have all the fun. Like managed vuln scanning is fun. - Perimeter release
  2. Deal: Symantec buys SwapDrive. I guess there is something to that bunch of disks in the cloud. - TechCrunch coverage
  3. Is it because they are good, or the other guys are bad? Doesn't matter to Sophos, who is showing growth in the North American channel. Just ask them. - SearchITchannel coverage
  4. Websense claims to stop Web 2.0 threats in their latest release. I guess they've figured out how to address human nature. Maybe they should patent that. - Websense release

Top Blog Postings

That's what we do is a bad answer
AndyITGuy makes a great point here, which is that we live in a dynamic world. So why would we expect our defenses and tactics to stay static? It gets back to a few of the scariest words I hear: "Because that's what we've always done." OK, I'll admit that it's easy for me, as an outsider, to come in and ask questions and call bunk on stuff that just doesn't make sense. Most people are embarrassed to blame inertia on the way they do things, so they fess up and then move quickly to address the issue with tactics that may actually work. Yet, what happens when an outsider isn't there to poke you in the eye? Most of the time nothing happens, and that's a big problem. The bad guys are changing and adapting. That means the good guys have to change and adapt as well. And don't ever accept the status quo as sufficient. Unless you actually enjoy looking for another job.
http://andyitguy.blogspot.com/2008/05/i-don-care-how-you-always-done-it.html
Link to this

Why stop at WAFs? Everything needs to work better
The Mogull makes the point here (referencing a keynote that the inimitable Jeremiah did at a SAN conference) that we have a lot of work to do on the web application firewall front. Given the fact that it will take hundreds of years to analyze all the code that's already been built, the odds that we'll get full coverage from a secure development lifecycle perspective is nil. So we've got to have other tactics to protect our applications. WAF is one. Providing additional layers (as Rich says, like database monitoring) is important as well. His point about being able to react faster to emerging exploits by adding rules to the WAF in real-time is interesting. But there are some concerns with this kind of approach. What about false positives? I took a dump on the G's idea of the "adaptive security architecture" yesterday because I don't think our detection capabilities are sophisticated enough to do it well, without adding a bunch of false positives to the mix. Thus, I'm not sure I trust Jeremiah's band of merry men (and women) to reprogram my WAF in real time and not start blocking legitimate app traffic. I hope they can, I think that would be great. But until you start seeing a bunch of public success stories, I'll keep my cynical hat on.
http://securosis.com/2008/06/02/web-application-security-we-need-web-application-firewalls-to-work-better/
Link to this

Is that a big lock in the cloud?
I'm fascinated by hail. As long as I'm inside (and my cars are safely in the garage), it's kind of cool to watch the hail stones raining down on my deck. Now that most technology architects are figuring out how and what should be moved into the "cloud," I guess the cyber equivalent of a hail storm is to have locks falling from the sky. That would probably hurt. Kidding aside, it's good to see mass media publications like GigaOm starting to talk about the need to provide more adequate security in the cloud. The reality is that we are moving towards a multi-tenant world. And if you thought the data segregation and identity management challenges of a typical enterprise were awe inspiring, think about how you do that for millions of customers - all consuming compute cycles and storage services from a big time sharing machine in the sky. The hope of the post is that the cloud computing companies will find economies of scale in security, and that they can more effectively battle the bad guys because they can amortize those investments over a lot more customers and a lot more data. In theory, that's about right. But in practice, it's not clear how seriously any of these providers take security. Most of them rely on the "trust us" security by obscurity approach, which maintains they have smart guys working on the problem, and therefore it isn't much of a problem. Of course, we all know that isn't really an answer, but until a high profile breach happens on data stored in the cloud, that answer will be good enough.
http://gigaom.com/2008/06/10/the-amazon-outage-fortresses-in-the-clouds/
Link to this

No comments: