Tuesday, June 24, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Catalyst Community: Discussion Forum Activity for June 24 [The Security Catalyst]

Posted: 24 Jun 2008 07:36 AM CDT

Here are some recent discussions. Got an opinion, jump in!

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

PCI compliance kit for NAC - do you believe it? [StillSecure, After All These Years]

Posted: 24 Jun 2008 07:03 AM CDT

Tim Greene makes the point again in his column that NAC is a great tool to help with PCI compliance. He is right on. Here at StillSecure we have several customers who are using NAC to help with PCI.  My issue is Tim highlights some recent spin fed to him from the "used car salesman of NAC". They claim to have a "PCI kit" that will help with 8 out of 12 PCI requirments.  A kit sounds like something you put on your car to help with gas mileage or something and for all I know is just more snake oil.  They claim to have an "unnamed customer" who is already using it.  Who could that be, LVHH again?  Or maybe they found a Cisco or Juniper customer that they say uses them for NAC now too.  The BNBB advises to take anything they say or write with a grain of salt.  Remember Caveat Emptor!

Where are all the UK startups? [IT Security: The view from here]

Posted: 24 Jun 2008 03:44 AM CDT

Many years ago now, I was discouraged from applying to Cambridge by a very short, bitter tutor (who had been to Cambridge) because he said my predicted grades of A, A, B, B were not strong enough. He even said I shouldn't even apply, because it would look bad on my UCAS form to the other universities. Yes, I know how stupid that looks now.

Well, I never applied, so never got a chance to prove him wrong. Little did I know they probably would have been happy to accept - I later got on to a Physics course at Bath University where other attendees were accepted with just 2 E grades, they were that desperate for intake, and that was considered one of the top non-Oxbridge courses in the country at the time. Still, I can't change history, and Mr. Sampson is still short, and a poor teacher. I have never trusted anyone in authority since, never let anyone question my intelligence and I cannot abide the short. So I guess I learnt some valuable life lessons.

All of which roundabout rambling brings me to the subject of the fabulous technical parks set up by these bastions of British learning. Cambridge in particular has thrown up many security start-up companies. Indeed, the area around Cambridge is often referred to as "Silicon Fen" (being in the area known as 'the Fens'). There are apparently over 1000 technology companies there with several billion pounds worth of investment. Most people will have heard of nCipher in particular, now a little past their prime, but at one point valued at hundreds of millions of pounds on the FTSE. I could name half a dozen bright little Security ideas that have come out of the area in recent times, some whom I have had contact with, others not. Of course, not all of these go on to greatness. The investors play a numbers game here just as they do in Silicon Valley.

Outside of those hallowed walls, there seems to be a scattering of other good UK-based technology startups around at the moment too, right across the country. I'm encouraged, because it's an area I know quite well, I know the processes and the pitfalls, the people to work with and those to avoid like the plague. I just want to hear more about them at the moment as I'm pretty sure we're about to see a lot more growth in this sector over here.

If you've got a security startup and think it's worth talking about, get in touch, I'd be interested to see what's new and what's working.

Who says innovation in security is dead? [StillSecure, After All These Years]

Posted: 23 Jun 2008 11:57 PM CDT

Was reading Amrit Williams blog today on the AV market and followed a bunch of links back to read more. I have to say reading the articles left me with just a bad taste in my mouth for where is the innovation in security, especially the AV market.  As Amrit points out, the first article has Eva Chen CEO of Trend proclaiming "the AV industry sucks".  She says with 5.5 million new viruses, how can anyone claim they are doing a good job.  I don't disagree with her but unlike Amrit, I don't think the Trend response is such an innovative response. In fact I think it is exactly what the folks at Panda Security in Spain have been talking bout doing for some time now.

A couple of other things that Eva says I found disturbing as well. Most of all was her analogy of open source software and proprietary software to capitalism and Communism.  I don't buy into the whole open source - socialist/communist thing.  I think it once again shows that Eva Chen doesn't get open source at all.

The other interesting article that Amrit pointed out was one announcing the new Symantec endpoint management suite. This represents Symantec integrating endpoint security suite with the Altiris management platform.  I think Amrit is right about it takes more than slapping it all in a yellow box and putting a portal interface on it.  Often times that amounts to little more than seeing how high you can make that pile.

Zemanta Pixie

Latest OSX Flaw Builds on the ARDAgent Vulnerability [Infosecurity.US]

Posted: 23 Jun 2008 11:22 PM CDT

Monday brought news of another MAC OSX flaw, this time related to the previously reported ARDAgent vulnerability published here last week (via Bryan Krebs‘ SecurityFix blog at The Washington Post).

SecurityFocus Interviews Mozilla Security Team [Infosecurity.US]

Posted: 23 Jun 2008 11:21 PM CDT

SecurityFocus (one of our favorite and trusted resources)  has published a superb interview with a couple of members of the Mozilla Security Team (actually Johnathan Nightingale, Security User Interface Lead (aka HumanShield) and Window Snyder, Chief Security Officer). The interview, conducted by SecurityFocus contributor Federico Biancuzzi is quite enlightening, and provides a certain insight [...]

Security Appliances: An Opinion [Infosecurity.US]

Posted: 23 Jun 2008 10:55 PM CDT

Anton Chuvakin, Ph.D. posts (at Security Warrior), probably one of the more eloquent, and succint views on security appliances (and vendors) that I have seen in some time. The lesson the Good Doctor teaches, quite frankly, is, whether in the public or private sector, the trust you place in vendors, and the security appliances they [...]

Chinese hackers cause India’s military to ramp up security [The Dark Visitor]

Posted: 23 Jun 2008 08:21 PM CDT

This is a very good summary of Chinese hacker attacks on India, to include speculation on mapping of their information infrastructure:

China’s intensified cyber warfare against India is becoming a serious threat to national security. The desire to possess ‘electronic dominance’ over India has compelled Chinese hackers to attack many crucial Indian websites and over the past one and a half years, they have mounted almost daily attacks on Indian computer networks - both government and private.

In October 2007, for example, Chinese hackers defaced over 143 Indian websites. Phishing is a term derived from fishing, and is a fraudulent activity on the Internet to acquire personal information. In phishing, the hackers use spoofed e-mails to lure innocent Internet users and get their personal information like bank account number, credit card details, and password and so on.

Read more here…

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Stay Current? - I don't think so [StillSecure, After All These Years]

Posted: 23 Jun 2008 07:57 PM CDT

A Google alert caught my eye today about an article entitled "The Essential Guide to NAC", in ITSecurity.com.  It is by John Edwards and dated June 23, 2008.  It was pretty much the usual about NAC.  In line, out of band, agent based and agentless, yada, yada, yada.  At the end of the article was a list of "market leaders" including Vernier Networks and a few other smaller NAC vendors.  Now as we all know Vernier ain't Vernier no more and is not really in the NAC business.  I would not hold it against John Edwards or ITSecurity.com except at the head of the article it said, "Stay Current, Features - The Essential Guide to NAC"

Not exactly what I would call keeping current, would you?

Zemanta Pixie

Rebuild Hope: Americans Helping Severely Wounded U.S. Veterans [Secure Access Central]

Posted: 23 Jun 2008 06:22 PM CDT

During the past three months I have written few posts for the Secure Access Central blog and I wish to explain briefly why.  On June 10 two co-founders and I launched Rebuild Hope, an innovative national non-profit that helps U.S. veterans who have suffered life-changing physical and/or psychological injuries since September 11, 2001 and received inadequate care and support from existing organizations. In a nutshell, Rebuild Hope operates an on-line financial support network that brings donors and recipients together. It will be supported by teams of volunteers across the U.S. who develop grass roots programs in their own communities. Qualifying veterans display personal profiles along with specific requests for transitional financial assistance and donors advise us on how they would like their donations to be distributed.  Rebuild Hope is entirely staffed by volunteers and 100 % of donations designated for veterans are distributed to them. Our success depends on passionate volunteers, donations and great ideas so if you would like to learn more about Rebuild Hope and get involved in some way we encourage you to visit our website and contact us either at dana@rebuildhope.org or (650) 321-4930.

I look forward to putting much more effort into Secure Access Central later this summer and appreciate everyone’s patience.

 Best regards,

Dana Hendrickson

NAC Solutions: How Will You Deal With Non-employees? [Secure Access Central]

Posted: 23 Jun 2008 05:42 PM CDT

That IT business technology innovation is driven by a small number of sophisticated customers willing to accept perceived frontier costs and risks in return for some higher expected value is indisputable and the NAC evolution is no exception. Equally true is the claim that the media thrives on controversy and contrary views. Therefore, we have been treated to a relentless stream of negative articles as “small NAC” – network admission control - became the latest security "whipping boy". But are there signs that early NAC adopters are onto something big? Or will they ultimatly regret their aggressive stances on a still emerging technology. Taking a large view of the NAC evolution, I believe these organizations will not only enjoy huge benefits but there numbers will grow immensely during the next five years. And small NAC will be only a small part of advanced access policy solutions. The best sign is that early NAC adopters are demanding even more functionality as they gain the requisite knowledge and experience to refine their existing solutions.

The growing interest in NAC advanced user registration tools is an excellent example. Cisco Systems, Bradford Networks and Great Bay Software are leading the charge of vendors who are responding to the demand for evermore capable NAC administrative tools and each has introduced a user registration products that enable IT to centrally define access policies for non-employees who might reside anywhere on the network and delegate user registration to non-IT business personnel. This is much more useful than traditional NAC “guest” access control which usually rely on either VLANs or restricted network segments/plugs. Each vendor has taken a very different marketing approach to offering their solution

Cisco NAC Guest Server

Cisco Systems has taken its traditional approach to non-employee network access management. The Cisco NAC Guest Server announced in November 2007 is a dedicated appliance which only works with either a Cisco NAC Appliance or a Cisco Wireless LAN Controller. With the Cisco NAC Guest Server an unlimited number of pre-defined roles can be assigned to guests, contractors and business partners. So far, Cisco has not been responsive to my requests for pricing on the Cisco NAC Guest Server so I will add this information when I get it.

Bradford NAC Director GCS

In April 2008 Bradford Networks introduced its delegated user registration software in two forms each designed for a different deployment strategy. The first, the Bradford NAC Director GCS, is designed for organizations that initially want to deploy NAC only to control users and computers operated by non-employees. Like the Cisco product it works with both wired or wireless network connections. Since users usually possess their own laptops a dissolvable admission control agent must be downloaded. This Bradford solution combines delegated user registration system, network admission control AND resource access control. Unlike the Cisco product role-based policies for admission control are limited to three variations: guest access to the Internet plus contractor and temporary user access to internal network resources. However, the Cisco NAC Appliance does NOT provide resource access control a capability prized by a growing share of the NAC marketplace.

When an organization decides to include employees in its NAC deployment, the software on the Bradford NAC Director GCS can be upgraded to provide full NAC Director functionality. With the other Bradford guest management offering, organizations can start with the feature-rich NAC Director for controlling employees and non-employees and later add delegated guest user registration through the purchase of GCS user licenses. There is no additional cost for the actual CGS application.

A starter NAC Director CGS system carries a list price of $7995 and supports a maximum of 50 GCS users ($160/user). A mid-range appliance that supports 300 GCS users is priced at $16,995 ($57/user). When the CGS capability is added to an existing NAC Director the price is $500 per 50 users ($10/user).

Great Bay Software (GBS)

The GBS product is software called NAC Sponsored Guest Access. The capabilities are similar to the other two products and the product integrates easily with not only the Cisco and Juniper NAC systems but can share a database with the GBS Beacon Endpoint Profiler that is used to monitor and control the access of non-authenticating devices on a network. The NAC Sponsored Guest Access software ihas a list price of $25,000 (U.S.).

Pride of Accomplishment - and what really matters [The Security Catalyst]

Posted: 23 Jun 2008 04:32 PM CDT

Earlier today we received the shipment of “preview copies” for Into the Breach. This is the first book that I authored by myself (as opposed to contributing) - and it took longer than expected. Despite the delays, the entire journey has been amazing!
COVER: Into the Breach: Protect Your Business by Managing People, Information and Risk
To open the book and hold the finished (albeit preview) product in my hands felt cool.Okay, I did a little happy dance in the office. Then I realized that the book website is out of date (and is slated for massive overhaul next weekend). We’re also working on the link for pre-orders and a final ship date for the Hardcover version…. mind racing, pressure building, I got back to work.

Just now, my children came home. My son actually snuck into my office (he’s getting good!), walked up behind me and yelled “Congratulations” and gave me a huge hug. He was as excited as his birthday when I handed him his own copy. He looked me dead in the eye and told me, “Daddy, this must have taken a lot of time. I am very proud of you.” His entire body let me know he was excited. And proud. A minute later, my daughter came running in, cheering for me. She immediately asked for her copy, hugged me and told me the book looked “great.”

The tears welled up as they scampered upstairs to put their books in “a safe place.”

I didn’t write this book for the sake of writing; rather I wrote to shift thinking and change behaviors. I asked, “What if breach isn’t the problem?” and then spent a few years blending and distilling sociology, psychology, applied economics and experience with technology to share some insights and suggest a path. I wrote to make a difference. The process of writing involved the entire family - and for that, I am grateful.

Holding the book today was an awesome feeling. And yet it was quickly trumped by the simple celebration and pride my children took in me. This is what really matters. Today is a day to remember.

Update: My parents and Grandmother came by for dinner. My son ran out to meet them - book in hand. Couldn’t wait to tell them “how totally awesome Daddy’s book is.” Totally an awesome day to remember.

Technorati Tags: ,

Avoiding controls which are "designed to fail" [Rory.Blog]

Posted: 23 Jun 2008 03:45 PM CDT

One of the great problems and frustrations of working in security is when those darned users don't follow the nice policies that people have spent so much time working on.

But here's the thing, security professionals actually indoctrinate users not to follow policies!

How do they do this? Well people like following patterns, and so when the pattern "It's okay not to actually follow this" is established in relation to security , people will apply that pattern the next time they run into a security policy that's potentially difficult or hard to follow.

I'm sure there's a lot of security people saying "No idea what he's talking about, all my policies were made to be followed!"....

O'Rly..

Here's an example that I'll bet is familiar to a lot of people. Password policy. Does anyone actually follow their companies password policy? I'll bet it looks something like

  • Passwords must be 8 or more characters with upper, lower, numeric and special characters
  • Passwords must not be based on dictionary words
  • Passwords must be rotated every 30 days
  • You must have a different password for every system (including not using the same passwords for personal websites
  • Oh yeah and once you've got this list of 40 or so random strings that are really tricky to remember and you might not use very often, don't you dare write them down

We're setting ourselves up for failure, and study after study shows that users will write down their passwords, or use sequences or many other tricks to make them more memorable.

This example (which may be a users main interaction with "security") sets the expectation that security policies can be ignored, because they're unrealistic.

So what's the answer..

Well when designing controls, I think that it's not enough to just look at the technical security properties in abstract. We've got to consider the psychological/sociological elements of the people we're expecting to execute the controls, and maybe take a path that isn't the best abstract solution but may well be the one that will work best in real life...

After all once users are set on the path of ignoring security it becomes pretty difficult to get them back on the one true way!

Personal Metadirectory for Passwords [LiveBolt Identity Blog]

Posted: 23 Jun 2008 02:40 PM CDT

Yesterday, I was fed up with my password mess. I had too many passwords, and despite my "method," I was losing track of them all. I decided to work on upgrading my method. I started out looking for a replacement "password vault.”

Here are my requirements:

  1. is highly secure, using accepted standards (i.e. - PKI, DES, etc)
  2. works on/across multiple platforms (PC, Mac, Linux, BlackBerry)
  3. synchronizes across multiple instances/platforms (as automatically as possible)
  4. easy to access/use (i.e. - retrieve and use a credential, without too many hoops)

KeePass meets all those criteria, but the interface isn't great.

I asked some friends and posted to a newslist. Answers came back including:

  • KeePass
  • vim -x
  • Other encrypted text files (ex. Word doc, plus external encryption)
  • Use a regular thumb drive with TrueCrypt
  • Use a secure/encrypted thumb drive, like the Ironkey

This got me thinking along related lines.

Personal Meta-Directories

1. We all have these. Outlook, Notes, Thunderbird all have our email address books. We have our cell phone address book. We probably have a paper address book for holiday cards. Your spouse, children, boss and peers also have theirs.

2. Why don't we keep our "Passwords" in the Address Book? Obviously because it's not secure. Passwords should be expanded to include any required credentials (certificates, tokens, keys, etc.). But companies keep our credentials in corporate directories. Why shouldn't individuals keep theirs in their own personal directory?

3. The KeePass is a file store with some directory-like characteristics. But it's no real metadirectory. The address books I have are not real directories either. And in any case, many meta-directories have poor security.

But, wouldn't it be nice to have a metadirectory with all your access credentials, as well as all your contact data? This is essentially all the data necessary to set up and negotiate the various types of communication channels you personally need and use.

What do you use?

We at LiveBolt would like to know what YOU, the reader, use for securing your “bits.”

We’ll select a user at random on July 1st from the comments below and send them a new IronKey Personal, 1GB Secure (not to mention waterproof) USB Flash Drive, by IronKey. (To the winner: we just ask that you write back and let us know what you think of it!)

To enter the contest, just reply with a comment to this post (before noon CDT on 7/1) and include your answers to the following questions:

1) How do you manage your passwords?

2) What software/hardware/methods do you use?

3) What would be your idea of a killer-app for personal “attribute” management?

Comments will be locked at noon CDT on 7/1 so we can pick a winner. Make sure to include your email address in your comment so we can contact you if you’re a winner. Good luck!!!

Improving OS X Security [securosis.com]

Posted: 23 Jun 2008 02:07 PM CDT

There’s been a bunch of news on the Mac security front in the past couple of weeks. From the Safari carpet bombing attack, to a couple trojans popping up. Over the weekend I submitted an email response to a press interview where I outlined my recommended improvements to OS X to keep Macs safer than Windows. On the technical side they included elements like completing implementation of library randomization (ASLR), adding more stack protection to applications, enhancing and extending sandboxing to most major OS X applications, running fewer processes as root/system, and more extensive use of DEP. I’m not bothering to lay this out in any more depth, because Dino Dai Zovi did a much better job of describing them over on his blog. Dino’s one of the top Mac security researchers out there, so I highly suggest you read his post if you’re interested in OS X security.

There are a few additional things I’d like to see, outside of the OS level changes:

  1. A more-deeply staffed Apple Security Response Center, with public facing side to better communicate security issues and engage the research community. Apple absolutely sucks at working with researchers and communicating on security issues. Improvements here will go a way to increase confidence, manage security issues, and avoid many of the kinds of flareups we’ve seen in the past few years.
  2. Better policies on updating open source software included with OS X. In some cases, we’ve seen vulnerabilities in OS X due to included open source software, like Samba and Apache, that are unpatched for MONTHS after they are publicly known. These are fully exploitable on Macs and other Apple products until Apple issues an update. I realize this is a very tough issue, because Apple needs to run through extensive evaluation and testing before releasing updates, but they can mitigate this timeline by engaging deeply with those various open source teams to reduce the windows where users are exposed to the vulnerabilities.
  3. An Apple CSO- someone who is both the internal leader and external face of Apple security. They need an evangelist with credibility in the security world (no, I’m not trolling for a job; I don’t want to move to California, even for that).
  4. A secure development lifecycle for Apple products. The programmers there are amazing, but even great programmers need to follow secure coding practices that are enforced with tools and process.

I have suspicions we might see some of these technical issues fixed in Snow Leopard, but the process issues are just as important for building and maintaining a sustainable, secure platform.

Online fraud: Thinking "outside of the box" [Online Identity and Trust]

Posted: 23 Jun 2008 02:07 PM CDT

By Yohai Einav, VeriSign Senior Fraud Analyst


I was on my way to the airport, chatting with my cab driver. After I told him my overused joke about the peasant, the seigneur and the miraculous goat, he asked me for my profession. "Oh, fraud?", he said. "You know, I almost lost $7,000 to card fraud last year".


So the sanguine driver told me how his bank called him, warning him he had gone into overdraft. When he investigated this he found that his Visa card had recently been charged with $6,000. He called Visa, and they told him - "Sir, didn't you make two £1,500 transactions in London two weeks ago?"


No, he was never in London. No, he rarely uses the British Pound in Israel.


"Time out", I said. "Credit card issuers know that this could happen, and no way could these two transactions have passed without Visa noticing them". Firstly, the amounts were high, and secondly, the driver's card had a consistent pattern of transactions in only one country. "Didn't Visa call you??" I asked. "No", he said, "the transactions were made on Yom Kippur, the holiest of the Jewish holidays, and no one in Israel was able to answer their phone". "No problem", the driver concluded, "Visa refunded my money the next day. They actually told me that they had dozens of fraud transactions on that same holy day".


I loved that story for one reason - it shows how the bad-guys constantly think outside the box. They knew that such a large scale scam would be detected on any other regular day, so they found a day when it wouldn't. They know what's inside the box, and then plan ahead.


Here's another story - a few years back I was analyzing a fraudsters' product called CC2Bank, which was basically a management tool for stolen credit cards. Release 1.3 of the tool enabled the bad-guy to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number or the country where the card was issued. Yet it also had included another feature - "list of busy phone lines", with a geographical distribution of the phone numbers. Why was that of interest for the fraudsters?


Again - it was the think-outside-the-box attitude: on e-commerce sites the user needs to provide a phone number. So if you're a bad-guy you probably don't want to provide your home phone number, but you still need to provide some number. You obviously cannot use a random number, because the credit company is going to call it. So what do you do? You find a number that [1] geographically makes sense, and [2] is always busy. When the transaction validation call is made and the ringing tone is always be busy, the credit company will have to make a decision - are we going to pass on this transaction or not?


In most cases, you can already guess, such transactions will be approved.


This is not a new tactic, but a regular fraudster's strategy. Bad guys must use think-outside-the-box ideas since security companies already cover what ever is inside-the-box. The lesson for us in the security industry should be emphasized: never rest on our laurels; always try to cover what's outside of the box; occasionally think like a bad-guy; and never ever tell jokes about miraculous goats.

The Next Best Thing to End of Quarter Madness… [Trey Ford - Security Spin Control]

Posted: 23 Jun 2008 01:56 PM CDT

OKAY, so I have pretty much been a big zero about staying on top of this blog thing.  This is the last full week of the quarter, so the worst is now behind my to do list, I am almost done moving, my travel calendar appears to be slowing down, and the PCI 6.6 countdown [...]

VirtSec: Don't hold your breath [Security Incite Rants]

Posted: 23 Jun 2008 11:12 AM CDT


After Alan's plea to add some heft to the Black Hat Blogger Network theme of virtualization security, I figured I'd weigh in a bit on the topic. But first, I want to be very clear that I'm not challenging guys that are much smarter than me. Like Hoff and Thomas. Even guys like Greg Ness and John Peterson are correct in their assessments of the number of new attack vectors that virtualization brings to our data centers - even if they are vendors.

So I'm not going to talk about technical stuff. Yet, I do feel compelled to draw the conclusion that despite the dangers, it doesn't matter. All the folks that are trying to make VirtSec into a market are basically just pushing on a rope.

That's right. Now matter how hard you push (or how many blog postings you write), you are not going to make VirtSec into a market for at least 2 years. And that is being pretty optimistic. So for all those VCs that are thinking they've jumped onto the next big security opportunity, I hope your partnership will allow you to be patient.

Again, it's not because the risks of virtualization aren't real. If guys like Hoff and Thomas say they are, then I tend to believe them. But Mr. Market doesn't care what smart guys say. Mr. Market cares about budget cycles and priorities and political affiliations, and none of these lead me to believe that VirtSec revenues are going to accelerate anytime soon.

  1. Budget cycles - This is what every optimistic marketer seems to forget. Customers just don't buy stuff. The large ones tend to work in 18 month (at least) budget cycles. Yes, that's too long - but it's reality. Many organizations are still working on that IPS deployment and maybe Web filtering. The idea of something that doesn't have a clear and present danger... not so much.
  2. Priorities - Of course, there are exceptions to this budget cycle issue, and that's when something really lifts in priority because of a real high profile attack. Kind of like when anti-spam hit the jets in 2004. It was a big enough problem that demanded a solution. Is VirtSec there? Nope. So most enterprises will buy a VirtSec widget or two, but not go into real deployment until they really have to. But, that can change in an instant if a verified exploit hits.
  3. Politics - This is the stickiest issue of them all. Who owns VirtSec? Is it the security guy/gal? Do they really own anything? It's probably a data center thang, but those folks are concerned with other issues (I'll hit that in a minute). What about the network folks, since a VM basically creates a network in the physical enclosure? It's about as clear as mud, and with the lack of clarity, most organizations will opt to do nothing.

Keep in mind how early we are in the adoption of virtualization. Sure, lots of customers are playing around with it. The early adopters are entering massive deployment cycles, but this is not representative of the broad market. Not yet anyway. So we are early, and early markets tend not to worry about security.

It seems the killer need right now for virtualization is VISIBILITY. That's right, increasingly virtualizing your servers creates any number of blind spots that makes operating your infrastructure effectively pretty hard. Now a lot of the VirtSec folks have come to the same conclusion, but like their NBA brethren - they are screwing it up.

Visibility is NOT a security issue - it's a MANAGEMENT issue. Funny how the NBA guys are finally getting there like 7 years later. Security is a tangential benefit, not the customer pain. If you sell a security solution to a management problem, it doesn't work out too well. Why can't these guys figure that out?

It gets back to that ongoing faulty belief that security is cool and that positioning security solutions is the easiest path to success, since everyone is paranoid about hackers and compliance. They are wrong. Very very wrong.

Security is ALWAYS the last thing to get addressed when a new technology hits. The security folks are not consulted when a new application architecture or data center infrastructure technology hits, are they? So why would security be one of the first things to get addressed in the virtualization space? Besides the fact that a bunch of entrepreneurs and VCs want it to be so.

The logical order of things (dramatically simplified) is: innovation -> management -> security (maybe). Pick a new technology and prove to me that the order was different. I dare you!

It will be fun to see yet another generation of folks try to change these universal truths of technology market adoption. Fun for me, but not so fun for the guys that are trying to explain to their investors why the market hasn't taken off.

Photo credit: "David Blaine - no mask" originally uploaded by Mirka23

Behind the Bits and Bytes [LiveBolt Identity Blog]

Posted: 23 Jun 2008 10:43 AM CDT

I hesitated posting this entry since it seems more personal than business related. The “softer” side, if you will.

Tim Russert, who grew up 3 blocks from my father, moderator of NBC’s “Meet The Press” has passed on much too early. This is truly a tragic loss — to Buffalo, to politics, to family & friends. The odd thing about today’s electronic/media/technological-age is that our DVR has Russert’s (unknowingly) last episode, and the following tribute episode with Tom Brokaw.

It can be easy to forget that behind the bits and bytes of technology, there are real human beings. Either an audit log, or a digital video recording — many of these moments are actions by people. It caused me to interrupt the scheduled delete/rotation and instead, those two episodes are tagged, “save until I delete.”

A former mentor and boss passed away at a much too young age, just a few years back, similarly sudden and tragic. At work, his technology accounts were immediately deleted and in some cases, suspended. Many at work called this step callous and insensitive. But the sad truth is there are elements out there ready, and willing to take advantage. And in Identity Management, we are sometimes on the front lines of technology response when there’s a human tragedy. It’s not callous — it’s about security.

I can only say that when we work with bulk files, HR data feeds, ACLs and workflows we take just a moment to remember — it’s not just line numbers or data elements — its human beings.

Cell Phone as Boarding Pass [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 23 Jun 2008 09:47 AM CDT

If you haven't caught this yet, the details are very scarce (let me know if you find anything worth posting, besides what's in this InformationWeek article already) and no one seems to be giving away more than the absolutely bare press-release... I can only imagine the ramifications of being able to not only use your cell phone for "boarding pass" purposes but other things now. Can you imagine the social engineering/hacking that'll go on?! I wish I knew more... like what the "encryption" will be used for? Will they simply just barcode-style scan your phone device?

Figures... spoke too soon. More info here.

As a commentary - I find it interesting that I've been "checking in" virtually on United Airlines and American Airlines for months now... and printing my own boarding pass. Is this any more convenient? To have a barcode on your phone rather than on a piece of paper? Maybe...

Blocking Attacks. Period. [ImperViews]

Posted: 23 Jun 2008 08:50 AM CDT

If you are driving on highway 101 North from Sunnyvale to Redwood City you can see a billboard sign encouraging you not to serve alcohol to teens. Unfortunately, like thousands of  other commuters, I have plenty of time to stare at this sign every morning.

its_unsafe.png


















(click the image for larger view)

It's probably the security geek that lives in my head, but when I saw this sign, I was thinking about monitoring-only security solutions.  Any person using security solutions for monitoring only without enforcing blocking policies is unsafe and irresponsible. In some cases, I would go as far as considering security solutions that can't block major attack vectors (e.g. single packet attacks) as illegal. I truly believe that a security solution must be capable to prevent attacks in the first place. Please note that I'm making a distinguish between audit and security solutions. The former can be limited to monitoring only, but as we have learned, in many cases, audit leads to security, thus the right solution architecture must have prevention capabilities as well.

At Imperva, our philosophy (and products strategy) is the to provide granular prevention controls. Turning blocking is not like activating a big on/off switch. We provide granular controls using multiple methods allowing enterprise customers to prevent attacks. When I'm hearing that other vendors are not offering full enforcement or that customers are not using blocking at all, you can tell that I'm an orthodox. Don't get me wrong, monitoring web activity is very important. It is the first step, but it's not the destination. We need to PROTECT applications. Protection requires PREVENTION and prevention requires blocking. Of course, a product must be very accurate, able to handle the load, support enterprise requirements. but at the end of the day, WAF are a security tool. Customers should evaluate how WAF is blocking attacks, including the most sophisticated, single packet attacks.


At the SANS's Web Security Summit. One of the panelists was explaining how he is receiving SecureSphere real time blocking alert messages directly to his BlackBerry device. This panelist is the CISO of an organization that processes more than 70 billion financial transactions per year. SecureSphere is there, blocking attacks in production systems. My point here is that accuracy must be high in order to provide the CISO and of course IT, OPS and other parts of the organization the peace of mind when inspecting 70bn and more transactions per year in real time

I can't tell what other vendors are providing, but Imperva's customer survery statistics show that the vast majority of are running in block mode. Blocking attacks is cool, safe and responsible.




Image source: http://www.dontserveteens.org/materials/posters/14x48.pdf 

Is the CISSP Obsolete? [Infosecurity.US]

Posted: 23 Jun 2008 08:35 AM CDT

Is the CISSP caput, obsolete, just another paper cert? Is it time to play the funeral dirge for this and other certifications? Read a rather eloquent take on these and other questions at the TS/SCi Security Blog, a fellow member of the Black Hat Security Bloggers Network. Read the comments on the post as well, [...]

ICANN shutting down a Chinese registrar? [InfoSecPodcast.com]

Posted: 23 Jun 2008 08:33 AM CDT

I saw this today on Slashdot. There is an ICANN registrar in China who is apparently not living up to its obligations to verify proper contact information for people registering domain names. The registrar is Xinnet Bei Gong Da Software. How bad is it you ask?

  • Of 11,000 suspected spam domains registered through them, NONE were taken down in a 6 month period.
  • Approximately 100 new spam sites per day being registered.
  • A “significant” number of those domain registrations have apparent bogus contact information

What makes matters worse is that there appears to be some interesting langauge in the ICANN agreement that registrars are supposed to comply with:

“Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.”

Reasonable steps? A little vague don’t you think? It will be interesting to see if ICANN does something here. Why does the prhase “Stop or I’ll yell Stop again!!!” come to my mind here?

–Chris

Technorati Tags: , ,

ShareThis

Data Integrity is important, now official! [IT Security: The view from here]

Posted: 23 Jun 2008 04:41 AM CDT

I'm a big fan of the Jericho Forum, it was set up by a bunch of visionary Brits for a start, they have never listened to criticisms from the cynics, and kept their stance broadly the same since inception. Many of the cynics have now come around to their way of thinking, "actually, it was only getting rid of firewalls I objected to, de-perimeterisation is a good idea"-type responses abound. And that's from the clever ones.

I first met Andrew Yeomans from JF about 5 years ago, with a considerably flatter stomach and more hair (me that is, Andrew hasn't aged a day). I was extremely flattered to get a comment from him on a recent post, and a subsequent email to say that he regularly reads these posts. I'd better write something sensible then.

My attention has today been brought to the comments of another Jericho director, founder and all round security Titan, David Lacey. I've never met David, but you can't really move far in the UK Security arena without hearing the name, especially not in data-security. I was beaming from ear to ear then, when I heard this.

What's that? Data integrity will be the next threat? So, I'm NOT mad? Maybe just a little early to the game when I said it last year? Once again, a prediction came true, and far earlier than I thought. I'm hoping this is going to build from here. Obviously no-one is going to listen to my little voice, but with DL saying it, I think some people may start to sit up and pay attention.

Of course, I hope he will take a look at my old chums at Kinamik, he already has some pretty big fans there out in Barcelona. And if he's reading, David, if you fancy a quick break in Spain, I know some people who would happily put you up!

Google and Wildcard Domains [GNUCITIZEN Media Portfolio]

Posted: 23 Jun 2008 04:38 AM CDT

Ok, ignore the image. This is the best I could find online. This post is about a thing I happen to notice while messing around with my own Google for Applications accounts.

In Google We Trust

Basically, Google allows you to use custom domains for your Google for Applications, Blogspot, Mashup Editor and of course App Engine accounts. I think this is an excellent feature and I use it for several of my domains. Although, some of the Google applications ask you to verify the ownership of the domain you are about to use by instructing you to place a special CNAME record on your nameserver, others don’t. They simply assume that if a domain points back to them it must have been authorized by the owner and this is exactly the case with Blogspot.

This is a very interesting situation and I must say it can be used for some very nasty phishing and defamation attacks, smear campaigns among other things especially today when most of the businesses move to SaaS. It is interesting, because many companies/organizations, from what I can see when doing some basic queries, are using wildcards to point back to Google. The wildcard domain instructs the nameserver to resolve any random domain to whatever details you specify. In case of Google, nameserver admins simply wildcard to ghs.google.com.

This might seam a good decision from administrative point of view but it is a horrible misconfiguration problem if you think about it. The problem is that as soon as you wildcard to Google’s SaaS, you allow attacker to register subdomains under your domain. For example if we have *.acme.com pointing to ghs.google.com attacker will be able to register blog.acme.com and use that to confuse the crap out of everybody.

This is a huge problem people and you better start taking into consideration the entire system, not just the individual components, more seriously.

Security Catalyst Community - Discussion Forum Activity [The Security Catalyst]

Posted: 22 Jun 2008 10:14 PM CDT

Recent activity includes:

Your voice is needed! As always, your currency is your participation (which means no out of pocket expenses from you — and the more active you are, the more benefit you receive). 

New job for me :) [InfoSecPodcast.com]

Posted: 22 Jun 2008 08:52 PM CDT

Yup….I’m still around. For the record, working for a VAR is NOT for me. It has taken a couple of them to make me realize that if I am going to sell / represent a product it needs to be my product. Both of the VAR’s I worked for recently, GreenPages and Focus Technology Solutions were good companies to work for….it just wasn’t for me.

So I am working in an Information Security position at MIT Lincoln Laboratory. It’s a very interesting mix of Academia and Military. We have a new CIO (as of last fall) and he really seems to be shaking things up and making some improvements. The environment is similar in feel to the NSA which is no surprise given the classified research that is done there. So far I am enjoying it. I do not enjoy the commute…about 60 miles each way with 12 of it being on 128. Those in the Boston area know all too well what I am talking about.

I’ve got a couple of posts in the works to try and freshen things up around here. The site is also going to get a fresh look and feel. Who knows, I might even get a podcast or two up :)

–Chris

ShareThis

You Shouldn’t Have to (be able to) Snoop to Do Your Job [IceLock Blog]

Posted: 22 Jun 2008 08:26 PM CDT

This survey, described in PC World,  and ZD Net claims that “One in Three IT Admins Admit Snooping.” This threat is completely unnecessary.

One of the most important parts about building an encryption system is selectively providing access to files to allow IT workers/admins to service and support the equipment while maintaining confidential information private. Early whole disk encryption systems fail at this, as IT workers need to authenticate and decrypt the entire system to support it. Systems like IceLock take a smarter approach, letting IT support the machine while keeping secrets secret.

No comments: