Wednesday, August 27, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Clouds and The Distorted Notion of Direct Control [GNUCITIZEN]

Posted: 27 Aug 2008 04:38 AM CDT

I would like to share a few thoughts on the notion of being in direct control of your environment. This article is a continuation from my previous one and it aims to justify why nowadays individuals and organizations prefer to give away control in order to gain more agility. Needless to say, less control is often equal to less security.


Some of you who have been following the blog may be familiar with some of my other articles on the same topic. I’ve expressed many times my concerns about arriving concepts such as cloud computing, Web2.0, Applications on Demands, SaaS, etc. The more I was digging into them, the more aware I was of their advantages and disadvantages. And I saw the notion of using in the cloud technology as a moving factor for many business to come.

Cloud computing is an attractive and very intelligent concept and it makes total business sense. The idea is not very new but at the same time it is evolutionary. It is all about outsourcing whatever you can outsource. In today’s flat world, all of your life is outsourced although you may not realize it. I highly recommend getting your hands on a book called “The World is Flat” for more insights. People have less control of their lives than they did 20 or even 10 years ago. Therefore, we are slaves, but slaves who have gained something for being enslaved. That “something” is agility.

Let’s look at the following analogy. Did you know that you are more likely to die in a sports or a compact car than a mid-sized car? There are plenty of research papers to justify those claims but my purpose here is to argue that less control increases agility and reduces security. The faster you drive, the higher the chance of an incident happening. The faster you run, the higher the chance of injuring your legs. Let’s put all that in context: The less control you have, the more agile you become. The faster you grow as an individual or organization, the more vulnerable you will feel.

Cloud computing is all about that. You can grow your empire on top of services. It is easy. It is fast. However, when you gain something you usually lose something else. Perhaps security? Although, it is unfair to say that cloud technology is less secure. Using open source tools is a form of outsourcing. Typically, you won’t build a homegrown Web server in order to host a website. You won’t write your own operating system in order to do your work. You outsource that work from those that can do it and having trust in your local file system is as flawed logic as having trust in a remote service. Both are protected in their own way. Both are vulnerable to theft.

In summary, we cannot control everything. It is unreasonable to believe so. Perhaps we are more in control of our desires and thoughts but even they can be manipulated by interested parties (i.e. advertisers, government, etc.). If there is less control, there is less to lose when gaining agility. Therefore, individuals and organizations prefer to lose even more of what they have in order to gain something else that they do not have.

You Don’t Own Your Reputation [Jon's Network]

Posted: 27 Aug 2008 12:48 AM CDT

Alex’s post got me thinking about reputation.

Companies think they own their reputation, but in reality they don’t. A reputation is the aggregate of the popular opinion about you. Opinions, or thoughts, belong to an individual, true or not, and a company doesn’t own a person’s thoughts, therefore a company doesn’t own its reputation. QED.

If the company doesn’t own its reputation then how can they press charges on a disgruntled employee (link via Alex) for trying to convince stockholders to sell? I’m simplifying here since he was probably under some sort of gag contract, but if you think about it, the act of persuading someone to sell a stock, while it may be malicious from the company’s point of view, isn’t qualitatively different than trying to convince them to hold or buy, which the company does constantly. If his information was false, then the sellers that believed him will lose money. If it was true, then the company has been lying. The point is, he isn’t causing any physical damage to the company by disseminating information, even if it is false, and this follows from the fact that no one owns their own reputation.

That doesn’t mean reputation isn’t real. It is real, and I think firms already measure it to an extent when they calculate the results of their marketing campaigns.

As far as selling security to preserve a reputation, everyone is trying it, because you see it in every vendor’s ad copy, but I really doubt anyone buys security because they are scared of a tarnished reputation. This is because breaches don’t effect the bottom line, which means they don’t make customers leave, which means a customer’s perceived risk of loss is small. The odds of any particular customer suffering loss if their beloved vendor loses a million credit card numbers is small, so they don’t care. They continue to shop there. This drives security people nuts, but that’s how it seems to be right now.

Multi-Boot Security LiveCD DVD []

Posted: 26 Aug 2008 10:40 PM CDT

NERV-LABS subsidiary has released quite the awesome DVD. Now, the lucky few of you who have suffered through my constant microsoft-bashing linux evangelism alright have heard about all the Multiboot LiveDVDs out there. Until now, they have all been booting various generic Linux distro. With the release of Badfoo’s LiveDVD, that has all changed:


MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for everyone. I hope you enjoy it.

OS Choices:

Backtrack 3
Damn Small Linux 4.2.5
GeeXBoX 1.1 (not geekbox :-P )
Damn Vulnerable Linux (Strychnine) 1.4
Knoppix 5.1.1
MPentoo 2006.1
Ophcrack 1.2.2 (with 720 mb tables)
Puppy Linux 3.01
Byzantine OS i586-20040404

Now add the awesome power of UNetBootin (Boot ISO via USB) and now you have a USB stick that boots multiple security related Linux operating systems. What do you have on your keychain?

Network Security Podcast, Episode 117 [Network Security Blog]

Posted: 26 Aug 2008 07:30 PM CDT

While Rich is off on a well deserved vacation with his wife, I’m joined by Mike Rothman, analyst, consultant, blogger, podcaster and friend. Mike and I recorded Monday night since I should be in a hotel somewhere in Southern California when this goes live.

Show Notes:

Network Security Podcast, Episode 117
Time: 30:34

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

Baby Tomhave Update: Laila Cosette Tomhave [The Falcon's View]

Posted: 26 Aug 2008 06:33 PM CDT

Please join me in welcoming Laila Cosette Tomhave, born at 5:55pm EST on 26 August 2008. She is 20.5" long and weighs in at a whopping 8lbs 5oz! Mother and baby are doing well....

Electing to receive [IT Security: The view from here]

Posted: 26 Aug 2008 05:15 PM CDT

I've been off the air again for a short while, changing positions again as a contract came up locally without quite so much travel. I'm not going to reveal my new whereabouts, largely because I'm not sure they'd be too happy about me talking about them, but also because it wouldn't add much to the mix.

I've been there a week now, and things are changing fast. The security department is being split up and pushed into every area of the company so that 'security is part of everything we do', which is admirable, if not lofty. I've ended up in the architecture team, which suits me fine, if not what I'd expected. What it does do is allow me to get on the receiving end of some vendors for a change, instead of delivering.

Last week I had a Webex about WebInspect from HP. Now I'm sure this is a great piece of kit, but it's really tough to sell over Webex. Fortunately for them, we've already bought it. I'm sure another sale would warrant a site visit, at which point the SE could shine, but over the phone it didn't really work for me.

I don't miss being an SE, it did serve as a great way to increase my salary quickly over a short period of time, and latterly to help me move from permanent roles into contracting because I found myself moving around so much and didn't want to appear like a job hopper. It also half killed me with travel and working from home is more stressful than you might imagine.

I was lucky to find a contract with work which suits me well and is practically on my doorstep. I don't think I'd ever go back to being an SE now, maybe I'm over critical because I've been one, but it's a thankless task, and I don't think you could pay me enough to do it again now.

I look forward to writing a bit more about the various technologies that I look at in the next few months. In the meantime I obviously can't talk about projects or politics in the workplace, but maybe I'll thrill you all with policies and general security blather.

How security configurations go bad [Phillip Hallam-Baker's Web Security Blog]

Posted: 26 Aug 2008 04:52 PM CDT

With best intentions I set up a demonstrator for a development project on my Windows Home Server (WHS). After a small amount of difficulty that turned out to be due to the version of .NET running on WHS being behind the version I used for development everything was running.

For a while.

After the system works fine at home, I try to demonstrate the system at a conference a few weeks later and the site no longer works. When I get back home I discover that the event log is indicating that the IIS installation does not have the correct access permissions to the directory any more.

Or rather, the event log contains a series of cryptic and peculiar messages from which I am led to deduce that the application failled because it did not have the right access permissions. Granting full access to every authenticated user makes the problem go away.

According to the principle of least privillege this is of course very bad. I should fine tune the system so that only the minimum level of access necessary is granted. But this is simply impossible with the tools provided. The error log does not tell me the user account that made the failed access attempt, not do I know which file it attempted to access. I am left to guess.

The first time around I did the job right and worked out exactly which process I had to give the access to. Since then the WHS has installed a patch that has performed some sort of reset on the security configuration of the server and it no longer works. And so the only way to make sure that the system works in future is to use the big hammer and grant full access to everyone.

As it happens the security exposure in this case is small, only three people have accounts on the machine. But the same sort of thing happens repeatedly with other security configurations. Thus Hallam-Baker's first law of security configuration:

Making the system work will always take priority over making it work securely.

Too many systems are designed to make it possible to configure the system securely rather than making it easy to configure the system securely. For some reason Operating System designers are particularly incapable of designing systems that provide the operator with the information that they need to know to do their job.

Hacking Security Researchers [Sunnet Beskerming Security Advisories]

Posted: 26 Aug 2008 04:49 PM CDT

When Alan Shimel (StillSecure) and Petko Petkov (GNUCitizen) had their online mail accounts hacked in the latest bout of Full-Disclosure posturing, including contents of select emails published to the list and, in Alan's case, objectionable content sent to various mailing lists that he was involved with, reactions ranged from ignoring the event through to blaming Alan and Petko for using webmail accounts for more than they really should have.

The irony of security experts having their own security shortcomings exposed so publicly was not lost on the group claiming responsibility for the attacks, or on a number of observers. The incidents prove the adage that it is a matter of "when" not "if" you will be hacked. More importantly, they show that it only takes a single lapse in procedure for a critical weakness to be opened up in a security position. If there are multiple lapses that can then be chained together, then it only exacerbates the problems being faced. When a security expert is relying on their reputation to attract clients, being smeared like this doesn't help their case. How somebody recovers and responds to such an incident is key to their future reputation, and maybe even their future earning potential.

Alan and Petko's responses to the breach of their security can be easily be found online and it is interesting to see the general posture being taken by both (and also some of the external parties affected when emails were published or malicious content was sent to them). The significant differences in approach may be due to American / European cultural differences, but blaming the service providers for a mistake on your behalf is probably not the best way to go about rebuilding after a compromise.

An interesting sidepoint to Alan Shimel's experience is that he had his personal domain redirected at GoDaddy after the hackers were able to use his legitimate email account to direct GoDaddy to unlock the domain and make the requisite changes. Without a backup channel means of validating such directions (such as via phone) what else is a registrar to do - the email came from the correct account. With the level of control over the various accounts that Alan held, including full details of his credit cards, it wouldn't have taken much more for the hackers to completely transfer control of his sites and potentially severely restrict Alan's access to his own finances.

While Alan was able to use his personal contacts to gain rapid access to in-person support at major service providers, this isn't necessarily something that many people will have easy access to, and even then it will take a measure of trust on the service provider's behalf to believe the caller is who they say they are and not the hackers making a last ditch social engineering attempt to regain control of the site(s).

Taking the Turkish approach to solving this problem is not necessary, but it might be a fun fantasy for a while.

FAA & ATC on the fritz [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 26 Aug 2008 04:34 PM CDT

This is incredible... another "FAA glitch" causing incredible ground stops and delays with planes stacked up from Chicago to Atlanta.

If you read between the lines you recognize the classic symptoms of "what just happened" syndrome. In this syndrome we can clearly see signs of confusion followed by mass hysteria as literally dozens of people scramble to figure out "what just happened"... all without success. My guess is, reboot the system, things will come back to normal.

Baby Tomhave Update: At Maternity, Progressing Well! [The Falcon's View]

Posted: 26 Aug 2008 03:52 PM CDT

Greetings! Bringing you a special live blogging event today (mostly for family and friends) of the birth of our first child. We're at the hospital now, settled into the maternity ward, where Hanna is progressing very well. Contractions started around...

Relentless Reflection - What it Means in Risk Management []

Posted: 26 Aug 2008 12:55 PM CDT

Picking up from yesterday, Today I’d like to talk about:

HANSEI - WHAT IS “RELENTLESS REFLECTION?” - And why we’re talking about it in the context of Risk Analysis.

Recall from yesterday’s post about how I got to thinking about the concept of Hansei-Kaizen, “relentless reflection” and “continuous improvement” and how we might apply that to risk management.  It’s a concept born of Toyota and is, in some way, the foundation for “Lean” production.

Call me biased, but I think that Hansei - the act of ‘relentless reflection’ made structured is the analytical function.  And I hate to debate (post-mortem) the father of Toyota quality success when he says that Hansei is the “check” in Plan/Do/Check/Act, but I think that Hansei also applies to the “Plan” of the P/D/C/A or Deming cycle.

You’ll recall the P/D/C/A cycle can be thought of even as an implementation of Scientific Method, in that it is Observation & Hypothesis Creation (P), Experiment (D), Analysis (Check), and Act (Revise/New Hypothesis, etc…).  Well then as such, the Hypothesis creation involves creating a model or creating an expected outcome for data using the currently accepted model.

So in our industry there is an opportunity for Relentless Reflection in both the Observation and Hypothesis (Plan) creation steps, and the Check step.  We create an estimate for control strength, or probable losses in the context of risk- then we go to Experiment step.  That hypothesis can be put it into production, have an audit, have a penetration test, whatever, in the context of the Do step.  BTW - using Hansei/Analytics in Plan is one way that strong analytical functions can really make penetration testing more useful - as a means to test the estimates and inputs into a model.  It’s Penetration Testing 2.0!  (<- tongue fully in cheek, yes)

Those who are versed in the reasons to merge Six Sigma and Lean together are probably already seeing where I’m going with this today.  But before you think that a simple DMAIC function is all that is needed to create proper “Hansei”, let me encourage you to keep reading.

Now if the analytical function can said to be “reflection”, why must it be relentless?

One word.  Change. There are essentially four separate “landscapes” or sources of change that we face (more on those tomorrow).  But anyone who has tried to manage system compliance, log management or policy exceptions knows that change is possibly the most difficult thing we security professionals must manage.  And when you think about it, there aren’t too many other business functions like information security where significant visibility and insight about the environment is needed for “complete” information (get bullish on Log Management is my recommendation).


This is one of those quality control concepts that we can mangle adopt.  At Toyota, Hansei-Kaizen includes the following basic steps:

1. Initial problem perception
2. Clarify the problem
3. Locate area/point of cause
4. Investigate root cause (using an ask why 5 times approach)
5. Countermeasure
6. Evaluate
7. Standardize

Now it’s important to note that part of this includes the concept of Go See For Yourself, called “Gemba“.  Gemba can be translated as "the actual place" or "the place where virtue or truth is found." At Toyota this might mean going to the shop floor to see the issue at hand in the production line.  But for us, that’s a problem because we live in the virtual world.  There’s usually not much use in hanging out in the wiring closets to try to see the problems.

But if you combine the concept of Gemba with the concept of “Nemawashi” –the process of discussing problems and potential solutions with all those affected- we can forge a similar concept using risk analysis.  That is discussing the issue and the risk associated with an issue (what some people would call “risk management”) with the business/LOB/data owner and let them accept authority and the risk decision.  We, the risk analyst, our goal is simply to perform items 1-5 (presenting countermeasure options that include transferring or accepting risk).  By going to the line of business and involving them, responsibility is shared.  Also, if you structure organizational behavior right, personal risk is transferred!

This sort of approach is also in harmony with concepts like "mutual ownership of problems," or "genchi genbutsu," (solving problems at the source instead of behind desks), and the "kaizen mind," (an unending sense of crisis behind the company's constant drive to improve).

One of the criticisms I have with the way most people try to implement DMAIC into “Lean”


Now to get this done, I really see three significant requirements.

1.)  A change in political structure.

2.)  Models that provide consistent, defensible analysis.

3.)  A Quantitative approach.  This means using actual units of measurement (not just amorphous percents, ordinal scales, etc.)  for risk and it’s subsequent factors.  Sure there are times when Q&D qualitative approaches are acceptable, but policy should be to have quantitative analysis whenever and wherever possible.

That last item - the quantitative approach - is really quite important.  And the reasons why will be discussed further in tomorrow’s post:

“What should we be reflecting about? & What is needed for reflection?”

P.S.  Your comments and suggestions, as always, are welcome.

P.P.S  Those who may be familiar with Lean/SixSigma/Kaizen sorts of mashups may be thinking - “hey, an Analytical step is built into SixSigma”.  Well, yes there is some prevision for analytical functions based on statistics, but I find SixSigma geared towards creating a State of Knowledge about operational processes, not towards creating a State of Wisdom for CISO’s around security & risks “big questions”.  In otherwords, the analytical function in DMAIC is in the context of Kaizen, and a different step than “reflective” analytics.

Self-signed certificates undermining network security [Napera Networks]

Posted: 26 Aug 2008 10:50 AM CDT

Imagine if I walked into a bank and told the teller: "Hi, my name is Bill Gates, and I want to withdraw all the money from my account."

Knowing that the teller would want proof that I am Bill Gates, I would also hand her an affidavit with a picture of my face stating that I am indeed Bill Gates. The catch is: the affidavit was signed by me, "Bill Gates".  No bank teller would accept my self-signed affidavit saying that I was Bill Gates; in fact, she would require a notarized version or some other proof of identity validated by a known authority.

But in the world of SSL-managed security appliances, self-signed certificates are commonplace and used by thousands of organizations worldwide. Like the Bill Gates impostor in my fictional story, security products that use self-signed certificates are undermining the security afforded by certificate-based SSL.

A little background may be in order to fully understand this analogy and why I make this bold claim. Certificates are used to bind an identity to a cryptographic public key.  The identity part of the certificate contains the name that shows up in the Web browser.  The public key is used for performing cryptographic functions, such as setting up the SSL encryption keys. Normally, a certificate is signed by a well-known trusted third-party called a certificate authority (CA).  A browser that trusts the CA also trusts any certificate signed by that CA.  When a security product uses a self-signed certificate, there is no third-party verification of the identity.  If a browser receives a self-signed certificate, it pops up a warning, and the burden falls to the user to confirm the identity.

Pushing this decision to the user is ultimately what opens up the possibility of a man-in-the-middle (MITM) attack. The security issue is not with self-signed certificates, but with the way users interact with them in the browser.  The warnings about self-signed certificates look just like every other warning that pops-up in the browser.

Every time a user browses to a site with a self-signed certificate, a warning pops-up that says something like: "The security certificate presented by this website was not issued by a trusted certificate authority." After seeing five or six of these warnings, users tend to click right past them without consideration.  Consequently, a user may accidently allow a MITM attack when connecting to a legitimate site by clicking past the identity warning.

In Firefox 3, the user experience around self-signed certificates is significantly more complex and confusing than in previous versions, which has potentially worsened the user experience but increased the security around the interaction with certificates. Instead of one warning dialog box like in Firefox 2, Firefox 3 forces the user to click through no fewer than four dialog boxes in order to use a site protected with a self-signed certificate.

Many have argued that this is a step backward for Firefox,  but I couldn't disagree more.  Accepting a self-signed certificate should not be a common action and shouldn't be rushed through by the user.  The user needs to carefully consider that the certificate being verified is indeed the correct one.

Administrators should minimize the use of self-signed certificates, especially in their security products.  The easiest way to do this is to obtain certificates signed by a trusted CA. Most security products support the ability to import a certificate signed by a CA. With a signed cert, users will be able to browse to the secured pages without being prompted by any certificate warnings.

At Napera we wanted to promote the secure use of SSL while still maintaining ease-of-use.  To accomplish this, each Napera N24 ships with a certificate signed by GlobalSign.    Out of the box, a user can connect to the management interface of a Napera N24 over a secure SSL connection without any certificate warnings.

Bundling a signed certificate is not only more secure but also simplifies the user interface.

Knock Knock [CTO Chronicles]

Posted: 26 Aug 2008 09:43 AM CDT

What's there?

We recently commissioned a survey of IT staff on network security concerns generally and NAC adoption plans specifically.  What we found, interestingly enough, was that 86% of the respondents had controlling network access as a priority, but 45% of them were not sure what was connecting to their networks at any given time.  I feel a bit like a political spin machine on this, since the basic visibility components of NAC implementation has often been a topic for me, but it seems to just keep coming up in its own right.  802.1x can help authenticate the endpoints in your network (and that seems to be on peoples' list, at least according to Gartner), and may help judge the posture of devices as we move forward.  However, failing back to MAC based authentication for MAC addresses you know little to nothing about seems too circular to be useful.  Any meaningful policy springs from at least basic knowledge of what you have connecting today.

I think this is a particular challenge for NAC vendors, since (a) it's basic blocking-and-tackling of NAC implementation so it needs to work; and (b) it's not really a huge business bang for your NAC buck.  However, there has to be opportunity here as well, since it appears none of the current tools in the IT toolbox is stepping up to do a satisfactory job at this.

You can read the full study here.

A few interesting Identity findings [Matt Flynn's Identity Management Blog]

Posted: 26 Aug 2008 09:35 AM CDT

User-Centric vs. Enterprise Identity

Dave Kearns offers a concise explanation of the core difference between user-centric identity and enterprise identity. His summary:
Enterprise-centric identity management is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form. User-centric identity is about keeping various parts of your online life totally separated so that they aren't accessible and no report can be drawn.
I like the simplicity of this explanation. I think it really captures the essence of the difference in an understandable way.

Management Profile

In this article from ComputerWorld, the Director of IS, strategy and architecture at Universal Service Administrative Co. is profiled. He talks about his current project:
An IAM framework will allow for customer information of applicants and contributors to remain consistent across IT platforms while spanning new and legacy systems and applications. My goal is to have one authoritative repository for contributors' and applicants' access information that will be used in managing a secure access control infrastructure. I believe that identity and access management will become an underpinning technology that IT leaders need to address.
He goes on to say that Identity Management is the most critical technology of the year. It's nothing earth shattering, but I always give priority to real customer insights.

Interesting Service Offering

I've discussed the idea of outsourcing identity and managed identity services, but CoreBlox, a company founded by ex-Netegrity folks, have this posted in their service offerings:

Dedicated CA SiteMinder Support Professional

It's an interesting twist on managed identity services and one that I think would resonate with customers. I've known a number of companies who would've liked to just outsource the identity support role to someone who knows what they're doing -- without having to hire and without having to pay for a full-time resource who sits around waiting for something to go wrong. One of the things I like about this is that CoreBlox isn't trying to provide a support professional for any identity system. They're focused on the technologies that they know.

So, if you had a provisioning solution from Courion or SAP and Siteminder for Web Access, you might need to go to two different people or companies to get the right support. BUT - that focus on core expertise is a recipe for success (especially in a support role). And likely still more cost effective than hiring, training, and retaining someone to support these complex systems.

Olympic Travelers Return...Bearing Gifts? [The Security Shoggoth]

Posted: 26 Aug 2008 09:23 AM CDT

Now that the Olympics are over everyone who was lucky enough to go will be traveling back to home and coming back in to work. Surely they'll be bringing the souvenirs they bought in Beijing - buttons, pins, T-shirts. But what about electronics?

China knows trade and knows an opportunity to increase sales in their country so they obviously did everything they could to ensure tourists could access Chinese markets and purchase their (cheap) goods. Did these include electronics? Absolutely!

While I have no first hand accounts of this and am speculating, I'm sure many of the recent Olympic visitors toured the Chinese markets and saw great deals on USB watches, digital frames, laptops and other computer accessories and picked them up. Soon these same people will be bringing in their newly-obtained items into their homes and hooking them up to their personal (or work) computers or, if administrators as lucky, they'll be bringing them to work to display (and use) on their desktops.

Anything to worry about? Naw, I'm sure we'll be fine. There's never been any instance of malware coming from Chinese hardware.

If anyone hears about anything like this, let me know please.

Ubuntu Drink in Vending Machine [Gilbert Verdian - Security Advocate]

Posted: 26 Aug 2008 06:49 AM CDT

Came across this Ubuntu drink in a vending machine. Does anyone know what it is or tried it?

[Paper] Failed: Information Security and Data Protection in a Consumer Digital World [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 26 Aug 2008 02:22 AM CDT

As promised - My paper on the top 5 reasons information theft, fraud and identity theft are running so rampant is complete.

If you've still got your pre-published copy out, please feel free to continue to submit comments that I may review the final in the coming weeks. I have done some research on this topic and feel these are legitimately the 5 reasons why Information Security is in deep trouble.

Please grab the paper here...

Cool Viagra vs. Cialis Spam [Commtouch Café]

Posted: 25 Aug 2008 03:22 PM CDT

Spammers are always looking for ways to get their message past anti-spam filters, and HTML manipulations are part of their regular bag of tricks, but this one just looked so cool I wanted to share it with you. At first glance, it looks like the spammer simply wrote “Viagra vs. Cialis” vertically (that in itself [...]

Nick Szabo on Coase's theorem [Phillip Hallam-Baker's Web Security Blog]

Posted: 25 Aug 2008 12:42 PM CDT

Nick Szabo is usually worth reading, his take on Coase's theorem is quite entertaining (H/t Michael Froomkin].

Given good will and a reasonable set of circumstances the economists might be right and the world might indeed fit into their nice neat little theories. According to this world view it does not matter whether the railroad has the duty to suppress sparks its engines might emit or whether the farmer is responsible for ensuring that he does not plan crops too close to the track: with frictionless capitalism and goodwill the parties will come to the most economically efficient outcome through good faith negotiations. Thus every situation can be reduced to contract law.

Yes I simplify the argument, but not half so much, methinks as the economists simplify the world in their attempt to make it fit their theories.

Then comes along Nick Szabo who points out that the railroad may not be a good faith actor. Far from it, the railroad might deliberately create the sparks, or why not go further and deliberately torch the farmer's field with a flamethrower? Contrawise the farner might sabotage the tracks and derail the train.

Once it is admitted that the actors may act in extreme bad faith the comfortable little academic theory starts flying apart.

Didn't something rather similar happen to the Internet?

Hansei-Kaizen & Risk Management Practices []

Posted: 25 Aug 2008 10:13 AM CDT

You might consider this a follow on to the Deming in Risk Management series I did this spring.

Recently, Thinking Problem Management wrote on the concept of Hansei-Kaizen.  That started me thinking about Information Risk Management, Information Security, the role of the security group and the analytical function. The following isn’t necessarily a revelation, but as I’ve a friend interviewing for a CISO-type job at a Fortune 20 this week and they are focused on a not dissimilar business management philosophy, I thought I’d write a little about the subject.

Hansei-Kaizen is the process of relentless reflection (Hansei) and continuous improvement (Kaizen).  It might be thought of as part of the Deming Plan, Do, Check, Act cycle.  In fact, Taiichi Ohno, father of Toyota’s production system (Lean Manufacturing) is quoted as saying:   “Check (in PDCA) is Hansei”.

image from the awesome Panta Rei weblog

image from the awesome Panta Rei weblog

Now those who have had exposure to Six Sigma and management theory are already probably very well acquainted with the concept of Kaizen.  I think anyone who has held a security management position would argue that continuous improvement is a very admirable goal.  And I don’t think we need to talk necessarily about what improvement is and why it needs to be continuous.

But what is usually not given a great deal of consideration in  our profession is this concept of “relentless reflection”, the “Hansei” bit. And a lack of Hansei can be a source of frustration to those we work with and report to.  In fact, there’s a great presentation by Dr. Hwang Chi Hong available via search engines that explains:

Hansei (reflection) alone only generates staff unhappiness.  Kaizen (continuous improvement) alone only wastes creativity.

Cool huh?

So what’s this got to do with Risk Analysis?

If we can agree that continuous improvement is an admirable goal for security management, security departments, and even security vendors, then in light of the quote above we have some questions to ask ourselves;

  • what is this relentless reflection (Hansei),
  • what should we be relentlessly reflecting about, and
  • how much work is being put into, and how good are we at, Hansei?

I’d like to focus on that for the next few blog posts this week, because I think that adding structure around this concept may be a “pragmatic” (Hi Mike!) compliment to many of the CISO  “self-help” books I’ve been seeing.

Why I Didn't Buy a Hybrid [The Falcon's View]

Posted: 25 Aug 2008 09:54 AM CDT

As you may or may not recall, I had ordered a 2009 Ford Escape Hybrid from my local dealer back in April, but it never arrived. Ford instead randomly selected 5 people from the 50 who had placed orders with...

Happy Two-Year Anniversary [tssci security]

Posted: 24 Aug 2008 05:40 PM CDT

Yesterday we celebrated’s two-year anniversary. I started this site on August 23rd, 2006 during my first internship, and oh my, how the time flew by. A lot of good things have come my way — most as a direct result of this blog. The connections and many good times I’ve had with people because of this site, are countless and all priceless. Also a happy birthday goes out to Dre, which without, this blog would not have been as much a success as it’s been. Dre celebrates his birthday on the same day as tssci-security’s anniversary. A coincidence? :)

I know we’ve been pretty dormant the past several weeks — I blame it on the security conferences. Tried not speaking out too much about the DNS vulnerability Dan found, since honestly, everyone has disagreed with each other and really nothing good came out of any of it. I’ve also been putting in 12 hour days at work for the past two months, which has been draining me to the point where I just want to chillax when I get home. There’s really been no good security books come out lately for us to read, except for maybe Hacking Exposed: Linux 3rd Edition — an ISECOM book. Speaking of ISECOM, tomorrow and Tuesday I’m attending a two-day training certification class for the OSSTMM Professional Security Tester. I’ve also got that Hacking Exposed book on the way, which I plan to read and possibly post a review up here. Supposedly it takes an OSSTMM approach to Hacking Linux… so we’ll see. Expect to see some posts on the OPST tomorrow or Tuesday with my thoughts as well.

In the mean time, enjoy the following posts which I found to be interesting:

DEFCON 16: The Tools not the Toools []

Posted: 24 Aug 2008 05:12 PM CDT

Originally posted to the Zero Day blog on Ziff Davis:

This article was also referenced in a Dark Reading blog post by John Sawyer:

All updates will reside here as I have no control over the article on Ziff Davis.

    DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release. Before anyone has a chance to post “It’s all on the DEFCON CD dummy” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.

The DEFCON CD can be found here:

Think you are good enough? The binaries from Capture the Flag have been posted here:

 PE-Scambler by Nick Harbour

Packet-O-Matic by Guy Martin

  • Description: “A real time packet processor” - It extracts and can reinject packets. This includes VoIP calls in real time, Cable Modem (DOCSIS) traffic, and a whole host of others.
  • Homepage Link:
  • Email Address:

SA Exploiter by Securestate

Fast-Track by Securestate

Beholder – by Nelson Murilo and Luis Eduardo

The Middler – by Jay Beale

ClientIPS – by Jay Beale

  • Description: An open source inline “transparent” client-side IPS
  • Homepage Link:  (Online?)

Marathon Tool – by Daniel Kachakill

The Phantom Protocol – by Magnus Brading

  • Description: A Tor-like protocol that fixes some of Tor’s major attack vectors
  • Homepage Link:
  • Email Address:

ModScan – by Mark Bristow

Grendel Scan – by David Byrne

  • Description: Web Application scanner that searches for logic and design flaws as well as the standard flaw seen in the wild today (SQL Injection, XSS, CSRF)
  • Homepage Link:

iKat – interactive Kiosk Attack Tool  (This site has an image as a banner that is definitely not safe for work! – You have been warned) by Paul Craig

  • Description: A web site that is dedicated to helping you break out of Kiosk jails
  • Homepage Link:
  • Email Address:

DAVIX – by Jan P. Monsch and Raffael Marty

CollabREate – by Chris Eagle and Tim Vidas

  • Description: An IDA Pro plugin with a server backend that allows multiple people to collaborate on a single RE (reverse engineering) project.
  • Homepage Link:
  • Email Addresses: and

VMware Pen-Testing Framework – by John Fitzpatrick

Dradis – by John Fitzpatrick

  • Description: A tool for organizing and sharing information during a penetration test
  • Homepage:
  • Email Address:

Squirtle – by Kurt Grutzmacher

WhiteSpace – by Kolisar

  • Description: A script that can hide other scripts such as CSRF and iframes in spaces and tabs
  • Download Link: DEFCON 16 CD

VoIPer – by nnp

  • Description: VoIP automated fuzzing tool with support for a large number of VoIP applications and protocols
  • Homepage Link:

Barrier – by Errata Security

  • Description: A browser plugin that pen-tests every site that you visit.
  • Homepage Link:
  • Email Address:

Psyche – by Ponte Technologies


Other blogs that have linked this or my ZD Net post:

No comments: