Thursday, July 31, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

USENIX Workshop on Hot Topics in Security [Infosec Events]

Posted: 30 Jul 2008 11:54 PM CDT

Yesterday was the USENIX Workshop on Hot Topics in Security. We weren’t able to attend this workshop, but the presentations are now online.

Here are some Workshop on Hot Topics in Security presentations that sound interesting to us:

And here are the rest of the Workshop on Hot Topics in Security presentations:

As you can see, there were some very interesting topics presented at this workshop. The TrueCrypt paper is probably the first one that I will be reading. Have enough papers and presentations to read yet?

USENIX Workshop on Offensive Technologies [Infosec Events]

Posted: 30 Jul 2008 09:02 PM CDT

This is the week of USENIX, as they have several security related workshops, and their annual  Security Symposium. On Monday, there was the Workshop on Offensive Technologies, and I was lucky enough to get invited to the workshop.

Paul Vixie started the event by talking about the DNS cache poisoning vulnerability. He didn’t talk about the actual vulnerability because Dan Kaminsky will be discussing it at the upcoming Black Hat USA Briefings. But he did talk about the patch, and other solutions that could possibly fix the DNS cache poisoning vulnerability. He did note that the patch isn’t a 100% fix, as it is a statistical patch against a statistical vulnerability.

Many of the other presentations were very interesting as well. Here are a couple Workshop on Offensive Technologies presentations that I enjoyed:

And here are the rest of the Workshop on Offensive Technologies presentations:

CPISM certification empowers merchants [PCI Blog - Compliance Demystified]

Posted: 30 Jul 2008 06:34 PM CDT

Congratulations to Walter Conway for his CPISM certification.  If you are not subscribed to his blog, please do so, especially if you are interested in Higher Education.  Rob is also one of the blogs that is syndicated via the Society of Payment Security Professionals.

The reason I congratulate him is because he has been working for years to do exactly what we do: educate and empower people about PCI compliance.  My mantra has always been to bring our expertise and education to empower those “across the table” from their auditor.  Have you ever felt frustrated because one auditor tells you one thing and another tells you something else entirely?  Perhaps this is just their variance in interpretation of the standard or personal risk tolerance.  The problem is that if you re-engineer your environment every time you get a different auditor you may go bankrupt!

So what can people do to learn what their auditor knows?  How can people empower themselves to understand the payment card industry so they can speak about it knowledgeably?  I’m not only an advocate, I’m also a member of the Society of Payment Security Professionals.  They have launched the Certified Payment-Card Industry Manager (CPISM) certification.  This certification and the training for it is geared at educating people about the payment card industry so they can speak with others (i.e. an auditor) knowledgably about it.

Someone called me up today asking about their call center and how one auditor said it was not in scope and another said it was in scope.  They had just finished re-architect their environment to make a secure payments area and now they were looking at re-engineering it to accommodate the requirements of this new auditor.  I told that person that they could always call upon me (as you all can via the email address and phone number on this blog), but that they would feel more confident if they empowered themselves.

It’s like the old proverb, “if you give a man a fish he will eat for a day, but if you teach a man to fish he will eat for a lifetime.”  This certification is meant to empower others to feel more confident about the decisions they make, because they invested the time necessary to learn the nuances of the industry.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

PCI Survey [PCI Blog - Compliance Demystified]

Posted: 30 Jul 2008 06:18 PM CDT

If you are not already subscribed to Rob Newby’s blog then maybe today is the day you do.  His is one of the few that is syndicated via the Society of Payment Security Professionals.  He has put online a survey on PCI DSS compliance that is meant to identify some of the roadblocks to compliance.

Since Rob is based in the UK this survey is targeted mostly at European companies, but I’d urge you all to participate.  The more information available to the public the more we can identify the roadblocks and remove them.

We already know that things such as Chip-PIN have had an ideological impact on PCI DSS adoption within the UK and Europe.  It goes a long way towards protecting cardholder data, but it alone will not protect merchants from exposing sensitive data.  Merchants must understand that integrated POS devices could retain “track equivalent data” which cannot be retained post authorization.

Other issues include the multi-acquirer relationships within Spain and Italy.  This power shift makes it harder for acquires to push for compliance within their merchant community.

Also, things such as Single Euro Payments Area (SEPA) may bring changes to how merchants see their PCI scope.  There are a number of things that companies must consider and an equal number of roadblocks.

In the end, excuses are just that.  If you choose to not wear a life preserver just because your neighbor isn’t then both of you will down when the ship springs a leak.  Ignorance is no excuse.

Also, if you’d rather read up on a Web App Sec survey check it out.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

A sneak peek at a Black Hat presentation [StillSecure, After All These Years]

Posted: 30 Jul 2008 06:08 PM CDT

No, it is not the Dan K DNS presentation, sorry.  Patrick McGregor, CEO of BitArmor Systems is presenting at Black Hat as well.  As part of our promotion with the SBN and Black Hat I have made my blog available to Patrick to give us a sneak peek at his presentation.  Patrick was nice enough to prepare the following:

Braving the Cold (Boot) – A Sneak Peek of My Presentation at Black Hat

by Patrick McGregor

Cold boot attacks aren't theoretical academic exercises. Cold boot attacks are real. And they're serious.

In the past few years, companies have poured hundreds of millions of dollars into full disk encryption technologies. Companies expect full disk encryption to reduce the risk of exposure of sensitive information such as intellectual property or customer data. Reality often deviates from what is expected, however. Researchers from Princeton shocked the industry earlier in 2008 when they released a research paper that showed that low-cost "Cold Boot" attacks could be used to defeat the security of most full disk encryption systems. They recently even published all the tools needed to do this at home!

Some have argued that Cold Boot attacks are not serious security threats. I disagree! First, an unskilled person can capitalize on the exploit using simple, automated steps and publicly available tools. In fact, Cold Boot attacks require nothing more than plugging a USB drive into a laptop. Second, the physical target of a Cold Boot attack, such as a laptop, is very easily obtainable (see the recent Ponemon report on laptops lost/stolen in airports – scary!). Third, although many laptops and desktops are stolen via random acts of theft, it is well known that some criminals profit from organized, calculated data theft. It is only a matter of time before we hear of a high-profile data breach that results from a simple Cold Boot attack.

I am excited to present at Black Hat several innovations for preventing Cold Boot attacks. In addition to summarizing how a Cold Boot attack works, I'll describe four new software techniques for hardening full disk encryption against the attacks. The software technology was developed by myself, Tim Hollebeek, Alexander Volynkin, and Matt White. All of us work for BitArmor, an exciting security startup based in Pittsburgh. Here's a sneak peek:

· Wash up: Wipe keys immediately before certain OS state transitions, such as before the computer shuts down or goes into hibernation mode – accessing the memory will yield nothing.

· Take advantage of BIOS memory smashing: By strategically placing keys in certain regions of memory, we can rely on the BIOS boot process to overwrite keys before any operating system can dump the contents of memory.

· Is it chilly in here?: Using built-in temperature sensors, we can lock down the system in reaction to temperature drops that may indicate a Cold Boot attack is in progress.

· Create a virtual enclave for keys: We can implement special cryptographic, OS and processor architecture techniques to provide robust protection for keys against the most aggressive cold boot attacks. By creating a "virtual secure enclave" for encryption keys in software, an attacker cannot extract critical keys from memory – even if the RAM is super-cooled.

Hope you can join us at Black Hat as we take an in-depth look at the future of full disk encryption technology.

Oh oh, I use AT&T [Network Security Blog]

Posted: 30 Jul 2008 04:57 PM CDT

Not that I’m surprised, but it appears that a DNS server at AT&T has been the first high profile targets of the DNS vulnerability discovered by Dan Kaminsky. I’ve been testing my internet connection every once in a while since I called out AT&T to patch last week and as of Monday it appeared to be safe. Even the 3G connection I’m using right now appears to be safe. But at least one server in the AT&T network was vulnerable and HD Moore’s company BreakingPoint was the target. A little bit of delicious irony there, since HD is the creator of Metasploit and released a plugin to test for the DNS vulnerability last week.

I’m getting tired of writing about the DNS issue and hope that AT&T and other service providers make a lot better effort in patching for the vulnerability now that it’s in the wild and being exploited. Dan mentioned an interesting set of statistics last week: When he first put up his vulnerability test page 78% of all tests came back as vulnerable, while as of last week only 56% of the tests came back as vulnerable. I’m quoting these numbers from memory, so they may be off a little, but it’s still an impressive effort to patch. Not nearly good enough, but still impressive.

I hope this spurs a fresh round of patching by large service providers as well as smaller companies, but I’m not going to hold my breath. I wonder how many more tricks Dan has up is sleeve for his talk at Black Hat, because I don’t think we’ve seen the full extent of this vulnerability just yet.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Flash being used in spam emails [mxlab - all about anti virus and anti spam]

Posted: 30 Jul 2008 04:50 PM CDT

Spammers often include links in their messages directing to web sites. These links are most of the time in the form of a URL including .html, .htm, .asp, .php or something similar.

A new spam trick includes now to include an URL directing to an Flash animation with the .swf extension. Most browsers will play the Flash movie even if this one isn’t embedded in an .html page.

The Flash contains no animation but a redirect to a web site with the spammers offer.

Commtouch reports that the messages arrived in small quantities on Saturday, and by Monday, July 28, had become a massive outbreak. 7000 URLs have been created and used in millions of spam messages.

Speaking Of FAIL [PaulDotCom]

Posted: 30 Jul 2008 04:39 PM CDT

Oh, and speaking on fail, I got this error message yesterday:


My guess is that my time on my computer was slightly off, and triggered the error, as subsequent requests did not generate that message. However, nothing like waiting until the minute (literally) to install the new certificate!


July Late-Breaking Computer Attack Vectors Presentation [PaulDotCom]

Posted: 30 Jul 2008 04:38 PM CDT


Thank you to all who listened (and viewed) live this afternoon. The slides from today's presentation are below:

July LBCAV Presentation

I totally dropped the ball and forgot to record the audio (Doh!). However, I will record all subsequent month's and release it on the PaulDotCom feed. Please let me know if you have any questions or comments about the webcast content.


Malware round up, for now [mxlab - all about anti virus and anti spam]

Posted: 30 Jul 2008 04:35 PM CDT

The UPS trojan and malware that was distributed by an email was one of the latest highlights. In more than one occasion the attached zip was was extracted, openen and the trojan was executed. Anti virus engines had all the troubles to keep up-to-date and to provide some real protection.

Commtouch, our technology partner, have provided us with a graphic when the UPS trojan outbreaks appear per day based on the ups_invoice.exe  attachment.

As we also reported on this blog, the malware was send out in so called bursts: many emails with the virus in a short time. In the graph you can when some massive waves or bursts occured. By sending out viruses in burst you can have a better result regarding infections because you can reach many unprotected computers in a short time frame.

At the moment things have cooled down a bit but since this afternoon we see the variant ‘Buy your ticket online’ appear in our messages logs. This story isn’t over yet and we keep our eyes open.

A little public transportation snooping [Andy, ITGuy]

Posted: 30 Jul 2008 03:43 PM CDT

I started riding the bus from where I live into town a little over a year ago. When I first started there were 3 departures each morning and maybe 60 people total used the bus. Now that gas is $4 a gallon there are 4 departures each morning and about 200 people are riding. Of course when you ride with the same people daily you get to know them a little and conversation flows a little easier. This can be a paradise for a social engineer. Just today 2 events occurred on the ride home that caught my attention.

The first involved a man who was looking for a ride to the town where I live. He does not live there and was going to meet someone. He started asking questions of some of the riders about where the bus stopped and when it usually arrives, etc.. Then he made a phone call presumably to the person he is going to meet. The talked about the specifics of meeting and at some point the person wanted to give him a different phone number to call when he got closer to town. He said that he didn't have anything to write it down with but he would try to remember it. After he hung up the phone a nice lady sitting in front of him handed him a slip of paper with the number on it.

My first thought was "boy, she sure is nosey" but then again she probably was just being helpful and couldn't help but overhear the conversation. You could even say I was being nosey since I'm telling you the details. :) Then I thought of how easy it would have been for a similar scenario to have taken place regarding company information. As I write this I remember a couple of conversations that a network engineer that works for a big telephone company in the area had. He was talking to another engineer trying to help him solve a problem and router names and IP's were given over the phone. Other details regarding routes and ACL's were also freely given on a crowded bus.

The next issue that occurred today involves the guy sitting next to me. The first issue is that he woke me up to ask if he could sit next to me. Now that I look around I see that there are no other empty seats so I'll let it slide this time. :) Next he pulled out his laptop and started writing code, reading and writing emails and opened a database. All right there for me to see. All of it is company related (yes, I looked and I wish I had the nerve of Johnny Long to take a picture). I've got a perfect view of his screen and can tell that he is working on the database that he opened. His emails are being sent to work detailing what he is changing in the database. The one good piece of news is that he at least has his wireless radio turned off. I first pulled out NetStumbler to see if I could see him.

This just all goes to show you that you never know who is listening or looking over your shoulder. You really need to be careful when in a crowd.

CharmSec Infosec Meetup Event - Thursday, 07-31: Normal Meeting []

Posted: 30 Jul 2008 01:58 PM CDT

Here is some information regarding this week’s Thursday CharmSec infosec meetup event.

For more information on CharmSec, see its description in our NoVA Meetups section. Here is a link to the post about this meetup.

For everything else there's karma [Andy, ITGuy]

Posted: 30 Jul 2008 09:22 AM CDT

CapSecDC Infosec Meetup Event - Wednesday, 07-30: Normal Meeting []

Posted: 30 Jul 2008 08:22 AM CDT

Here is some information regarding this week’s Wednesday CapSecDC infosec meetup event. Unless it's raining, they’ll be in the backyard; so go all the way down the bar, past the bathrooms, and through the little hallway to the back, and look for them amongst the plastic tables and chairs.

For more information on CapSecDC, see its description in our NoVA Meetups section. Here is a link to the post about this meetup.

OAUTH and OATH - confusing? [Mike Davies: Online Identity and Trust in EMEA]

Posted: 30 Jul 2008 07:38 AM CDT

Just read an excellent post about the difference between OAUTH and OPEN ID.

The reason for this post is that I wanted to make sure that there is no confusion between OAUTH and another standard called OATH which broadly fits in the same space.

Here is my understanding of OAUTH with an example shamelessly taken from their web site to explain:

OAUTH is a way for you to move from one site to another site and grant temporary access to the second site so that you can access the resources from the second site from the first site. Here is a good real life example:

"When a user wants to print a photo stored on another site, the interaction goes something like this: the user signs into the printer website and place an order for prints. The printer website asks which photos to print and the user chooses the name of the site where her photos are stored (from the list of sites supported by the printer). The printer website sends the user to the photo site to grant access. At the photo site the user signs into her account and is asked if she really wants to share her photos with the printer. If she agrees, she is sent back to the printer site which can now access the photos. At no point did the user share her username and password with the printer site."

OATH on the other hand is a standard for sharing a second factor authentication token.

Imagine that you have 10 online relationships which are potentially interesting to a fraudster or contain sensitive personal information (such as Banking, Healthcare, Retail, Gaming, gambling, insurance etc.).

If each site provided you with a two factor authentication device (like a Vasco token or VIP Card) then you would need 10 tokens for your online relationships, obviously impractical and expensive at the consumer level.

OATH sets a standard where the consumer uses the same token across multiple sites.

The first factor of authentication (i.e. user name and password) would likely be different at each site and are not part of the OATH standards, and in fact hey guess what, this is where OPEN ID fits in.

A real live example of OATH working is the VeriSign VIP network (enough plugging already, if you want to read more go to the VeriSign Site).

My personal view on OPEN ID and OATH I have blogged before about, but here is a simple diagram explaining that relationship.


If I was to try and fit OAUTH into the diagram I guess it would kind of fit across both the SITE ID part and the 1st FACTOR part as it is establishing a standard where sites can ID themselves to each other and allow the consumer to use their first factor of authentication to enable the sites to share the resources.

Anyway, I see OAUTH and OATH and OPEN ID living side by side.

Meru Networks erects a "cone of silence" [StillSecure, After All These Years]

Posted: 30 Jul 2008 07:13 AM CDT

Coneofsilence Who doesn't remember the cone of silence from the original Get Smart TV series.  Whenever Max and the Chief had something important to discuss they would lower the cone of silence so that no one else could hear them or eavesdrop. So it is only fitting with the recent release of the Get Smart movie, Meru Networks has released a wireless cone of silence.

Meru is one of few stand alone wireless companies still hanging on out there.  So they need to be innovative to survive.  Their latest product, RF Barrier puts antennas around a physical plant to dampen and make it impossible to to listen in on wireless data exchanges.  They claim this is a first of its kind.  Thinking about it though, I don't see a big barrier to other companies having similar technology. I don't think you have to be a genius to broadcast traffic that puts out "noise" to hide legit traffic. I think the real special sauce is that this works in conjunction with Meru's other security products like wireless firewalls and secure access points.

With Motorola's recent purchase of AirDefense is having wireless IPS soon going to be table stakes in the wireless provider game?  I think it is and while Meru's RF barrier is a nice story, they are going to need to have some sort of IDS/IPS in their product line to keep up.

Zemanta Pixie

Blogging as therapy [StillSecure, After All These Years]

Posted: 30 Jul 2008 01:13 AM CDT

As some of you know, my friend Mitchell Ashley and his wife Mary Ellen have been battling against breast cancer for over 3 years now. It has been a roller coaster ride for both of them and I have seen first hand how much courage it has taken for Mitchell to deal with this scourge, let alone the courage that Mary Ellen has in battling this disease. Though Mitchell has never made a secret of it, he has not made it very public either. That has now changed with a new blog that Mitchell started call

Mitchell wants to share his experience as the "other" spouse in this life and death battle that too many couples face. He is looking to make it a resource for others faced with a similar battle. But there is part of doing this which is therapeutic for Mitchell as well. Talking about what he is feeling and going through helps him deal with the emotions and toll it takes. At the same time he is providing resources to those who may be in need.

I applaud Mitchell for being brave enough to come forward and face these demons publicly. Though we do not work together every day, Mitchell and I still speak almost every day. I know that he and Mary Ellen fight this each and every day and am constantly amazed at their faith in God and courage. If you get a chance, check out the blog and support Mitchell, Mary Ellen and the rest of the people who do battle with this terrible disease every day.

Zemanta Pixie

New blog: Breast Cancer For [The Converging Network]

Posted: 29 Jul 2008 10:07 PM CDT

Bcfh_thumbnail I've started a new blog called Breast Cancer For As many of you know, my wife and I have battled her breast cancer together over the past three years. There have been highs and lows, struggles and victories, and through it all breast cancer is something we battle both together and on our own. If you've been close to someone with breast cancer, you know that even once the cancer is no longer detectable you still live your life changed from that experience.

I decided to blog about the topic, first for my own therapeutic need through writing and sharing, and second to create something that I and other husbands (and their wives and family members) could be a part of while supporting a loved one with breast cancer.

To learn more, check out the initial blog post where I talk more about the reasons behind creating this new blog.

If you or someone you know has had or is living through the breast cancer journey with a spouse, I would appreciate your forwarding a link to

Thank you to everyone who continues to provide love, support, prayers, calls, emails, letters and visits. I hope you'll share my new blog with someone who it might benefit. I surely will be blessed through all who are part of this journey as well.

No podcast this week [Network Security Blog]

Posted: 29 Jul 2008 08:04 PM CDT

Rich and I are both incredibly busy, trying to get some work done before Black Hat and Defcon start. We’re planning on producing a podcast next week from the showroom floor at BH as well as a few microcasts from the both Black Hat and Defcon.

So tune in next week, I promise the audio will be better than episode 113’s was. Because you know it can’t get much worse than last week.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Ah, the joys of blogging! [StillSecure, After All These Years]

Posted: 29 Jul 2008 05:12 PM CDT

People ask why do you blog?  In the final analysis I blog because I like to. Every once in a while though you get a comment from a reader that reminds you why it is all worth while.  Here is one I received today from a person alleging to be a Julie Peterson:

Julie Peterson commented on Safe Access wins SC Magazine Award Reader Trust Award, again!:

Dressed in a tuxedo and chewing those rubber chicken breasts at the award ceremony is your idea of fun? Aren't you the same mentally retarded idiot who said in 2007 that you hated SC awards and that anyone can buy the SC awards with a sponsorship? Why do you think people give over $10k as sponsorship for the SC awards? Who is watching the awards except other vendors? By the way you suck big time with your rubbish blogs. Didn't networld magazine give you the boot within 3 months? Think before you write Mr. mental. Well done on winning, but please, dont give the impression that you cant buy an award from SC! And don't forget to eat your medication pills tonight, otherwise from your hair it is obvious you ran away from a mental hospital.

First of all Julie, let me thank you for your kind words! You made the statement and let me answer your questions for you.

1. Is dressing in a tuxedo and chewing rubber chicken breasts my idea of fun?  Actually, I do enjoy dressing up in a tuxedo once in a while.  The food at the awards ceremony was actually pretty good, if not diet friendly, as were the cocktails.  The entertainment at the awards show was pretty good as well. Catching up with friends you had not seen for a while and networking with industry peers was pretty worthwhile too.  Maybe your idea of a good time is putting on a bowling shirt and swilling a couple of beers and pretzels before going home and undressing into your dirty ripped underwear. Hey I say to each his own.

2. I am not the idiot who in 2007 said that I hated the SC awards and that anyone can buy the SC awards with a sponsorship.  I am the idiot who said that about the InfoSec Products Guide award by the folks at Silicon Valley Communications.  In contrast I have always said nice things about the SC awards. I actually have a lot of respect for them.  Also for the record, StillSecure has never been a sponsor of the SC Magazine awards. I have seen sponsors who did not win awards as well.  So looks like you got that one wrong Julie, but it happens.

3. "Networld" magazine didn't give me the boot within 3 months.  They never had the chance, as I never wrote for "networld, network world or any other magazine. Maybe you have me confused with Mike Rothman or Mitchell Ashley, who do and did write for Network World. But let me assure you that I do try and think before I write.

4. Regarding what medication pills I take and does my hair make it obvious I ran away from a mental hospital. I don't take any medication, maybe I should.  Better living through chemistry you know ;-)  As to my hair, what can I say.  At this stage I am happy I have any hair at all.  My wife always says when I get my haircut it looks like a Buzz Lightyear style, but no one ever mentioned a mental hospital look to it.  In any event sorry it doesn't appeal to you.

So who is this troll Julie Peterson?  Could it be Richard Stiennon in drag?  Maybe his wife striking out?  Maybe another one of my fans?  Who knows, but these sort of comments keep me juiced about blogging and remind me of how much fun I have doing it.  Thanks again Julie!

Product Bistro: Demos, Demos, Demos [The Converging Network]

Posted: 29 Jul 2008 03:43 PM CDT

Product_bistro_lunch_bag I enjoyed a really great session yesterday with a few of the teams at TechStars in Boulder. The room was filled with two things; passionate entrepreneurs, and people looking to help each other. Four companies presented in rapid succession their 10 minute investment pitches with some time for Q&A.

Part of those pitches were product demos in various forms, so naturally I had to chime in about my experiences demoing products. To help folks out, I said I'd post links to two of my previous posts about demos.

One other thought I'd pass along is that old saying, "How do you get to Carnegie Hall? Practice, practice, practice." There's nothing like knowing your story better than anyone else and being able to tell it at the drop of a hat, and tell it well. Being on top of your game comes through in spades to your audience. Then you can deliver your best presentation and deal with the questions and other things that might come up.

Best wishes to everyone at TechStars and keep practicing those pitches!

Webcast Tomorrow: Late-Breaking Computer Attack Vectors [PaulDotCom]

Posted: 29 Jul 2008 08:59 AM CDT


The July Late-Breaking Computer Attack Vectors webcast this month will be held on:

Wednesday, July 30, 2008 2:00 pm EDT (GMT -04:00, New York)

Register Here For This Webcast

This month we I will discuss some of the latest attacks, including:

  • What you need to know about the DNS bug
  • Tips for securing Mac OS X
  • Hacked before you know it (without wires)
  • Who has the key to your city?
  • Nmap: The Book

This webcast will run about 45 minutes and I will focus on some cutting-edge attacks and defenses. The defensive recommendations will hopefully avoid situations like this:




Symantec takes a fling it on the wall approach to NAC [StillSecure, After All These Years]

Posted: 29 Jul 2008 06:49 AM CDT

I was reading Tim Greene's column this morning about Symantec's new on demand web log in for guests as part of their SNAC appliance offering. I have to admit that even I who follows the NAC market and competition pretty closely, get pretty confused with all of the different offerings Symantec has come out with around NAC. Symantec seems to be following a fling stuff on the wall and see what sticks strategy when it comes to NAC.  The problem is separating the keepers from the rest of it when evaluating their offering.

This latest offering appears to sure up a hole that was called out in the recent CRN review of their product in a bake off against Sophos and StillSecure's Safe Access. In that review Symantec's drop off in functionality between agent and agentless was called out.  So within just a few days comes this announcement addressing the issue.  Very timely indeed.  This comes on the heels of Symantec's peer-to-peer approach to NAC, which came on the heels of their Endpoint Security product version 11 which had NAC included (and which I understand has already been patched/upgraded several times since its release). 

At this point you have Symantec NAC with their endpoint suite which is a throw in but has no guest access option on its own. Than you have the Symantec NAC appliance which can do enforcement of managed devices beyond what just endpoint suite gives you.  Now you also have on demand/dissolvable agents available with the Symantec NAC server (but I guess not with the endpoint suite). You also have the Symantec peer-to-peer stuff, which I think also requires the SNAC server.  Starting to get confusing? I guess this is what happens when your NAC offering is made up of an amalgamation of several different products lumped together.

Not to worry though, I am sure Big Yellow will still sell plenty of all flavors of their NAC offering. At the end of the day some of this stuff is bound to stick.

Zemanta Pixie

Monday merger-mania in security [StillSecure, After All These Years]

Posted: 28 Jul 2008 09:54 PM CDT

Not sure if it is because of the slumping market and economy or in spite of it, but there pace of merger activity has been picking up lately and the security industry has not been immune to it.  Today saw two meaningful deals announced that could have an impact on the security landscape:

1. Sophos buys Utimaco - Saw this one when I woke up today, as it is a European deal.  UK based Sophos is buying German based Utimaco, makers of the SafeGuard line of data encryption/protection/DLP product line.  Sophos is paying cash $340 million US for in this deal.  This means they are substantially dipping into the credit market, as this is far more than they reported cash on hand. So like the Brocade/Foundry deal, the acquiring company feels strong enough about the acquisition to mortgage the house to get it.  In this case, I think Sophos is making a smart deal. They clearly say that to compete with Symantec, McAfee and Microsoft they are going to need a full endpoint security suite. AV alone is not just going to cut it. This gives Sophos a real play in DLP and data storage space. 

Yes they could have just done a partner deal for this type of technology, but I applaud them for going out and buying the technology.  I wondered if they would use this as a reverse merger entry to the public markets but it doesn't look like that.  In any event it looks like Sophos is making the play and spending the bucks to be a player in the endpoint security suite game.

2. Motorola buys AirDefense - Well one of the air brothers finally found a taker. I always thought that for all of the press AirDefense, AirTight and AirMagnet receive, the revenue just didn't match the hype. Stand alone wireless security was a tweener.  Would traditional security cover wireless or would traditional wireless cover wireless security.  In any event a stand along wireless security play is a tough road.  So with this answer Motorola says wireless handles wireless security. 

My question is what does the future hold for Motorola.  They are reportedly getting out of the cell phone business.  Is their wireless business, even a secure one enough to support this giant?  I don't know but there is a bit of "dead man walking" over there if you ask me. 

I think the play is clear though that wireless providers are going to snap up wireless security companies. The real issue is at what prices.  If anyone hears a price on this one, let me know.

Zemanta Pixie

The NAC Unbeliever [CTO Chronicles]

Posted: 28 Jul 2008 05:22 PM CDT

If you didn't tune in for the NAC debate between Joel Snyder and Richard Stiennon you should check it out here.  It was a good exchange but Snyder was clearly speaking from stronger ground.  This was one of Stiennon's comments in the debate (talking about NAC):

Richard_Stiennon: I agree that it is turning into a religion, which makes me an atheist.

I knew he hated apple pie.  I knew it.  Actually, that was just Richard being Richard, but even when discussing the real issues he seemed to be all over the place. Here's my take on a couple of other nuggets of wisdom he shared in the NAC debate.

Stiennon's historically wrong: 

Richard_Stiennon: "MSBlaster was essentially a zero day [exploit] for most enterprises. If they had had NAC fully deployed they still would have gotten hit."

The CERT advisory on blaster was issued on August 11, 2003.  The security bulletin and the patch were available on Microsoft's web site on July 16, 2003.  Roughly 30 days.  Nowhere near zero-day.  Indeed this works against Stiennon's other argument about patch and software distribution management solving this problem long ago.  SMS was ubiquitous three years prior to the Blaster outbreak.

Stiennon's philosophically wrong:

phreno: Richard, some NAC products offer behavioral policy enforcement. I can get identity, endpoint checks, and behavioral policy enforcement that stops botnets, DDoS attacks, etc. that do find a way onto the network. What other technology offers that?

Richard_Stiennon: "Great question. This is where the IPS/AV industry is heading. Allow an infected end point to connect, but do not allow it to harm me. Filter out attacks at the edge. The capability you refer to in some "NAC solutions" is what they call post admission control. That is good but the action should be to drop packets, not end point connections."

13th chime of the clock.  This statement, in itself, is just wrong-headed.  The notion of blocking bad traffic but leaving an otherwise useful connection was folly 5 years ago.  Much less today with, as Richard alludes to earlier in the debate, threats that blend SPAM, bot, keystroke logging and the like.  And we haven't even scratched the surface of malicious users.  What possible good comes from continuing to grant network access to a malicious user?  It is difficult for me to conceive of an answer that could be more wrong, more naive in its arrogance, than "just drop the bad stuff."

MITM on software updates [Liquid Information]

Posted: 28 Jul 2008 04:31 PM CDT

In this blog post I talked about a new way of doing software patching on Windows and thought something might go horribly wrong. Well, here is one thing that could wrong! Apparently some update tools just download without anyhow verifying the integrity and origin of the files. By doing a MITM attack (or the DNS vulnerability), one could trick the update tool into downloading an attacker provided file.

The Common API I was thinking of would definitely need more mechanisms to work, e.g. public key signature checking or something similar (+ a lot more considerations). Anyhow, existing routines do not seem to be fully secured either.

Defcon Podcaster (and Blogger) meetup [Network Security Blog]

Posted: 28 Jul 2008 03:40 PM CDT

Mubix has issued an update to the Podcaster’s meetup for Defcon 16. He’s arranged for a couple of sponsors (thanks and Astaro) for the event and might even get a couple more. The skybox will be open all day as a ‘quiet space’ for podcasting, which is something that’s usually pretty hard to find at Defcon, especially if you’re like me and won’t be staying at the Riviera. Given the crowd we’re talking about, I’m not sure how quiet it’ll really be, but it’ll still be better than the convention floor and the hallways will be.

There’s going to be a live broadcast from 9 to 10 PDT, and with the number of podcasters that’ll be there, I’m willing to bet it’ll be like herding cats. I’ll see if I can set up some video to give everyone an idea of how crazy it ends up being. Maybe we’ll even manage some live streaming video, if we’re lucky.

Black Hat and Defcon are approaching quickly. I just hope I still have the energy to party by the time this event rolls around. I’m glad I’m heading home in the afternoon Sunday, because I don’t think I’ll be up very early in the morning.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Flash in the Spam [Commtouch Café]

Posted: 28 Jul 2008 03:18 PM CDT

OK the title is a lousy play on words, but the new spam tactic with hyperlinks to Flash files is actually pretty neat.  You most likely know by now that spammers will look for any way to bypass content-based anti-spam filters. And they tried a new trick today: sending spam messages whose hyperlink call to [...]

No comments: