Spliced feed for Security Bloggers Network |
| End-to-End Encryption in the AP Region [PCI Blog - Compliance Demystified] Posted: 17 Oct 2008 01:05 AM CDT I (Chris) recently completed a training session in Australia and while meeting with the Visa representatives in the Asia Pacific region I was surprised to learn about some of the initiatives in the region. Visa has sponsored a program that resulted in the entire country of Malasia employing end-to-end encryption for payment card transactions. This is a tremendous step forward in data security and demonstrates that end to end encryption is viable. Thailand, and Australia are also moving quickly toward end-to-end encryption in addition to chip and PIN with the support of card brands in the region. As anyone that has read any of Aegenis’ writings knows, we are big proponents of end-to-end encryption and other technologies that reduce the risk to payment card data, as well as minimize the need for PCI DSS. Recently we published a whitepaper on the topic of Cardholder Data and whether encrypted data is, or is not, Cardholder data. It is my position that the categorization of data is predicated not upon the use of encryption rather upon the key management processes. You can read the paper here. To truly be able to reduce the risk to cardholder data, it is going to require more than compliance with any standard. Companies are going to have to begin looking at methods to remove the value of data or protect the data during the entire transaction cycle. ![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small} |
| Grecs’s Infosec Ramblings for 2008-10-16 [NovaInfosecPortal.com] Posted: 16 Oct 2008 11:59 PM CDT
|
| The top sales mistake: lying [StillSecure, After All These Years] Posted: 16 Oct 2008 10:23 PM CDT  Image via Wikipedia Was reading an article in connectIT news today. Colleen Francis recounts the top three fatal mistakes that sales people make. Actually it was the same mistake made in three different situations. In all three situations the sales person lied about their relationship with the alleged buyer. Why a salesperson would do that is kind of ridiculous to me. Do they not think they are going to get found out? So lying is definitely the top mistake, but wearing out your welcome is a close second! ![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f7288de9-d13f-4de1-ada0-28045acffcc0) |
| Techno Forensics Conference Infosec Event [NovaInfosecPortal.com] Posted: 16 Oct 2008 09:59 PM CDT TheTrainingCo will be holding this year’s Techno Forensics Conference infosec event at the end of this month. Here are the logistics for this year’s conference:
For more information on the Techno Forensics Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the Techno Forensics Conference main page for more information. |
| StillSecure, After all these years, Podcast 59 - Mike Murray [StillSecure, After All These Years] Posted: 16 Oct 2008 08:06 PM CDT
MIke has a great blog on here, if you want to hear more from him. Its good to be doing these podcasts regularly again. Hope you enjoy it! If you have any questions, write to us at podcast@stillsecure.com. Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley! Enjoy the podcast! 
This posting includes an audio/video/photo media file: Download Now |
| New & Improved PaulDotCom Mailing List [PaulDotCom] Posted: 16 Oct 2008 03:33 PM CDT While we love Google (I mean, they make a fantastic search engine), it was time to say goodbye to Google groups and get our very own mailing list server. Look for more good things to come on that front... In the mean time, I have moved everyone over from the old Google groups mailing list to the new one. The "PaulDotCom" mailing list is for discussions about the show, general computer and network security topics, hacking, and the like. Feel free to discuss and ask questions. If you don't get an answer right away, be patient, it may take some time before people are able to respond. If you have not yet joined the mailing list, then what are you wait for? You just have to join the debate, who knows, we may even bat around the old "Ninjas Vs. Pirates" debate just for fun.  Cheers, PaulDotCom |
| A Cryptographer and a Data Communications Guy Talk About Risk Management [RiskAnalys.is] Posted: 16 Oct 2008 10:32 AM CDT
“The” Bruce Schneier and Marcus Ranum have an article up on TechTarget/Information Security Magazine called, creatively enough, “Bruce Schenier, Marcus Ranum debate risk management“. Unfortunately, to get to the article, you’ll have to either already be a subscriber to IT Security, a subscriber to TechTarget, or go through the 20 minute process of signing up by giving TechTarget all sorts of “market information” about how you’re really Brandon Walsh, CSO of “The Peach Pit” Industries in Beverly Hills, CA 90210 (phone 714-867-5309). For those of you who are already a TechTarget person, the link is above. For those who aren’t, or those who just don’t have the time, I’ll summarize. The “debate” is kind of awkward because both authors seem come to the same conclusion: Risk Management, it’s something our profession should do, something humans do naturally, it’s necessary in business, but gosh - we don’t have enough data. I’m not a cryptographer. I don’t *nearly* have the insight on privacy and politics that Bruce has. I’m not deep in IP communications. I haven’t got a proven track record of innovation in IP Security products like Marcus has. But here’s the thing, I hope you’ll never hear me pretend that I have the skill set to speak authoritatively on those subjects. Heck, I wouldn’t claim to be a “risk” expert because I have a some insight into my shortcomings and what is needed to tackle such a complex problem. But such a tepid article on something that (at least I think) is so important kind of, well, confuses me. Why is it such a boring article? I’m not sure. Maybe because they’re just two guys who would rather debate the merits of specific controls or control activities (after all, their penetration testing debate was a huge success), but there’s no new information in the “debate”. It’s the same old “insurance companies know risk because they have scads of data and we don’t have that” complaint. You know what? I’m tired of hearing that line, so let’s talk about it. HOW DO YOU KNOW WE DON’T HAVE THE AMOUNT OF DATA WE NEED TO DO RISK MANAGEMENT WELL? Not particularly picking on Marcus, but in the article he uses the common complaint, “We lack the data to do risk management well.” This mantra is repeated to the point where I’m blase’ about it. But for some reason, this sentence really jumped out at me this time for two reasons. It made me ask: 1.) How do you know we don’t have the proper amount of data? 2.) Can we even define “well” (i.e. what “good” risk management is) yet? I really don’t know that the industry, especially concerning IT risk, is mature enough to really conclude that we don’t know (in the case of the former), nor that we can define (latter), conclusively. PLAYING THE CONTRARIAN Just because I’m feeling kind of zany this morning, let me suggest something. Maybe there actually is lots of evidence out there for us to use. Maybe: 1.) It’s just that we don’t have particularly good models that provide context. 2.) When that evidence isn’t an obvious phenomena that lends itself to easy measurement, we throw our hands up in disgust and fall back on “lack of data”, “can’t quantify risk”, “best practices work just fine” or any other number of arguments, no, excuses we use to justify our inability to be precise about the past (more or less the present or future - apologies to Niels Bohr). IT’S IN THE WAY THAT YOU USE IT Now I actually am happy to acknowledge that we don’t have enough data to be precise. You, me, even smart guys like Marcus and Bruce - we’ll never be able to “engineer” risk management. But you know what? Neither can Insurance companies. Sure, there are plenty of places where they have enough data to apply a traditional frequentist approach to risk valuations. But there are plenty of times Insurers actually insure and they don’t have centuries or decades of data. There are plenty of times when they rely on the “estimates” of subject matter experts. There are many times they have enough information to be accurate rather than precise, and that’s good enough for them. For that matter, it’s worth noting that there are plenty of scientific disciplines that have to deal in imprecise prior information, or evidence that’s fraught with uncertainty (what Ranum calls “squishy”, and what I’ve heard real honest to goodness physicists call “noisy”). Unfortunately, we’re going to be like them. Until we can read minds and predict the future, there will always be uncertainty in our measurements and posterior conclusions. The trick is in how you deal with it and express it. And while I really don’t know how much time Marcus or Bruce have really spent in the deep end on the subject of risk and its management - I have seen people doing brilliant things around risk (though they just aren’t mainstream). Whether the tools are Bayesian methods, Monte Carlo engines, reductionist models of complex problems, there are risk analysts trying to deal with the problem. These analysts are applying scientific method(s) and developing reasonable approaches to a very complex problem. There are people trying, and our body of knowledge is growing, growing well beyond “gee, I haven’t got an obvious solution so I’ll blame it on lack of data”. Heck, I’ve seen readers of this blog suggest Douglas Hubbard’s book in other security forums!* I’VE GOT YOUR DATA RIGHT HERE… But we don’t have enough data? I have to ask, how much more do we need? I mean crikey, JPMC just visited our ISSA chapter claiming, like, a bajillion events an hour. There’s not one, but several companies out there that will want to tell you about how they have deep “insight” into the attacker community. The boundaries of IT Risk losses are pretty well established by events that happen to public companies. We have pretty mature testing/assessment tools and methodologies now that help us test our ability to resist the force an attacker can apply to us. So what part of the Threat Landscape, Asset (Controls) Landscape, or Loss Magnitude landscape is too incomplete (and what are you doing to find the information you need)? SO WHY DO WE FAIL? Which brings me to a final, somewhat depressing conclusion. Maybe there’s data, and maybe we’re starting to see the means to use it. But in the end I do have to agree with Marcus that the vast majority of the infosec world *is* doing a really, really bad job with regards to “risk” and “risk management”. The majority of people I know consider GRC to be a cruel, expensive joke. Risk Assessment Methodologies tend to be built on the faulty premise that if we create a repeatable process, our measurements and conclusions will magically become accurate and wise. Risk models tend to be factors loosely measured by ordinal scales and then somehow “multiplied” together to create a relatively meaningless qualitative value. The State of the Union here is not good. But after reading such a superficial treatment of an important and complex subject, I am left wondering if Bruce and Marcus were the right people to write about risk management in a mainstream publication. As Inspector Callahan says, “A man’s got to know his limitations.” =============================== * Speaking of which, if you want to do one cost effective thing to address your uncertainty - go find Douglas Hubbard’s book. It’s even got a nice recommendation from Peter Tippett. The book is called “How To Measure Anything” - the title sounds rather hyperbolic, but there are good techniques in it we can use to identify useful information and refine our ability to frame that qualitative information into quantitative values. The key is how Hubbard has you deal with your uncertainty. For those of you who are more scientific minded and want to dig deep into the subject, I have on good authority that E.T. Jaynes “Probability Theory, The Logic of Science” is a rather under appreciated work. |
| Cisco ASA hacker tips: Hexadecimal to decimal conversion tool [Francois Ropert weblog] Posted: 16 Oct 2008 09:44 AM CDT Do you know that the famous Cisco ASA security appliance can convert hexadecimal to decimal for you ? Cisco ASA secure your packets. On top of that, ASA has a calc.exe tool that is called PING :> Unfortunately, this is just a tiny calc because it only works up to 255. Here are some examples (check values in bold): ciscoasa# ping inside 0xA repeat 1 timeout 1 size 28 Type escape sequence to abort. Sending 1, 28-byte ICMP Echos to 0.0.0.10, timeout is 1 seconds: ? Success rate is 0 percent (0/1) ciscoasa# ping inside 0×42 repeat 1 timeout 1 size 28 Type escape sequence to abort. Sending 1, 28-byte ICMP Echos to 0.0.0.66, timeout is 1 seconds: ? Success rate is 0 percent (0/1) Enjoy! |
| Taking the Week Off [PaulDotCom] Posted: 16 Oct 2008 09:33 AM CDT Yes, you guessed it. We're taking a break for the week! Don't worry, we'll be back next week with more awesome shows you've come to expect. We've got some great interviews planned for the coming months, and maybe even an episode of PaulDotCom TV in the works! See you all in a week. Thanks for listening! - Paul and Larry  |
| Security Visualization Workshop in Hong Kong [Security Data Visualization] Posted: 16 Oct 2008 08:56 AM CDT
As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today's state-of-the-art data visualization techniques, you can gain a far deeper understanding of what's happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods. The attendees will get an overview of visualization, data sources for IT security, and learn how to generate visual representations of IT data. The training is filled with hands-on exercises. The talk is going over the following individual topics:
Should you be in Hong Kong on November 20th, come check out the training. Should you miss it, I will be teaching a two day workshop at SourceBoston, Boston in March 2009. |
| Sex Offender Registry Law = FAIL [Carnal0wnage Blog] Posted: 16 Oct 2008 04:14 AM CDT more adventures of non-technicians making technical policy FTW! "Registered sex offenders will have to start providing their e-mail addresses to a national database available to social networking sites, under the misleadingly titled "Keeping the Internet Devoid of Sexual Predators Act of 2008" — a bill authored by Senator John McCain and signed by President Bush on Monday. The idea behind the law (.pdf) is that a social networking site can query the database to keep registered sex offenders from signing up, and thus prevent them from preying on underage users. Needless to say, the law does nothing to stop first-time predators. But it's doubtful that even recidivists will be affected. Pedophiles looking to victimize children — a felony worth years, even decades, in prison — won't be afraid to violate this new law by using an unregistered Gmail address. And now law enforcement will have to struggle to discern whether an offender is using a disposable webmail account to commit new crimes, or just to shunt the blacklist and network with their adult friends and family." http://blog.wired.com/27bstroke6/2008/10/mccains-sex-off.html(edit) making laws that are not enforceable or are easily bypassed are a waste of time and money just like regulations that can be followed or enforced. Once we all have a john.smith@person.usa email address AND we all had to use it this might be a law worthy of some effort put into it. |
| Posted: 16 Oct 2008 03:02 AM CDT This just entered my inbox: London, UK 16th October 2008 Research carried out by Infosecurity Europe has shown that 95 per cent of people would prefer to report online fraud directly to a dedicated e-crime agency, rather than having to go through APACS and/or the financial services firm with whom the fraud took place. The research by the Infosecurity Europe show - which took in online responses from 359 visitors to the site - follows on from a debate in the House of Lords on e-crime and IT security issues. In that debate, their Lordships noted it was anomalous for UK banks not being obliged - in law - to refund account holders who have been electronically defrauded. Lord Broers, the Chairman of the House of Lords Committee on Science and Technology, said that the current situation is that account holders are only being refunded under a voluntary code, noting that that in today's environment, this is scarcely appropriate. In addition, Lord Broers said, whilst customers currently report their e-frauds to the banks, it is not in the banks' interests to draw attention to the fact that their anti-fraud systems have failed. Against this backdrop, their Lordships concluded there is a need for specific legislation - similar to the Bills of Exchange Act 1882 - which specified that if a bank honoured a forged cheque, the bank, not the customer upon whose account the cheque had been drawn, was liable. Commenting on the results of the security debate and the Infosecurityadviser.com research, the Earl of Erroll, a cross-bench member of the House of Lords, said that he was not surprised that 95 per cent of people would like to be able to report online fraud directly to a dedicated body. "I think that people instinctively realise that you cannot expect people or organisations to report their own shortcomings reliably," he said, adding that the industry must always have independent bodies looking after our interests. "I am delighted that money is finally being put into out into the new National Fraud Reporting Centre and is actually going to be given some teeth in the form of the new Police Central e-crime Unit," he added. Lord Erroll's comments were echoed by Mike Barwise, Editor of Infosecurityadviser.com, the online forum for the information security industry who noted Lord Broers' description ( "extraordinarily complacent" ) of the government's response to the August 2007 report on personal Internet security by the House Science and Technology Committee. The House of Lords debate, he said, was fascinating, as it illustrated the degree of confidence that consumer must have in a system for it to flourish. "Lord Sutherland of Houndwood's comments that Internet trading and purchase... depend on confidence and trust in the processes employed by the banks and in the priority that they give to personal Internet security, highlights this fact," he said. "As events in the financial world in recent weeks have shown, without an underlying level of confidence in a given market, that market will collapse spectacularly. The danger with e-trading security is that, if confidence fails, the e-trading market will similarly slump," he added. For more on Mike Barwise's comments: http://www.infosecurityadviser.com/view_message?id=74
|
| Oracle Critical Patch Update, October 2008 [securosis.com] Posted: 16 Oct 2008 12:10 AM CDT The Oracle Critical Patch Update for October 2008 was released today. On the database side there are a lot of the usual suspects; DMSYS.ODM_MODEL_UTIL seems to be patched in every CPU during the last few years. All in all the database modifications appear minor so patch the databases according to your normal deployment schedules. It does seem that every time that I view this list there is an entirely new section. It is not just the database and Oracle Apps, but BEA, Siebel, JD Edwards, and the eBusiness suite. As a security researcher, one of the tough chores is to figure out if these vulnerabilities inter-relate, and if so, how any of these in conjunction with The others could provide a greater threat than the individual risks. I do not see anything like that this time, but then again, there is the BEA plug-in for Apache that’s flagged as a high risk item by itself. Without details, we cannot know if the BEA bug is sufficient to compromise a web server and reach vulnerable databases behind it. The BEA plug-in was awarded Oracle’s highest risk score (10 out of 10), so if you’re using that Apache plug-in, PATCH NOW! I am guessing it is similar in nature to the previously discovered buffer overflow described in CERT VU #716387 (CVE-2008-3257). However, there is no mention of a workaround in this CERT advisory as with this previous attack, and in general Oracle is not very chatty about the specifics on this one. And I love the teflon coated catch-all phrase in the vulnerability ‘description’: “…which may impact the availability, confidentiality or integrity of WebLogic Server applications…”. Helpful! Friends I have contacted do not know much about this one. If you have more specific details on the threat, shoot me an email as I would love to know more. -Adrian |
| An Information Security Place Podcast - Episode 7 [An Information Security Place] Posted: 15 Oct 2008 11:35 PM CDT Hey everybody. Here’s podcast episode 7. There’s some great stuff in here, and some great interviews. Enjoy! BTW, iTunes is downloading episode 6 for episode 7 for some friggin’ reason. I will look into it, but I have to finish a proposal tonight. Sheesh.
Show notes:
Interview Segment:
Geek Toys: Jasager on the FON Router - Watch Episodes 403 and 405 of Hak5 or hop over to DigiNinja’s Jasager page Consultants Corner: Discussion on doing some due diligence on checking vendor claims. Open discussion on the recent Evil Bits Darkreading blog post Music Notes:
Vet This posting includes an audio/video/photo media file: Download Now |
| Posted: 15 Oct 2008 10:42 PM CDT Well my iPhone frustrations continue… I loathe the fact that I can’t do anything with email attachments other than just read them. It would be nice to be able to edit a word attachment on occaision. It also would be cool to be able to attach a doc to an email. As I have said before, a system wide cut and paste feature, available on almost all smart phones, is something that should have been included in the first gen iPhones. And why does every single text editor have to have it’s own, independent storage area for docs? I can’t even share docs from one text editor to another. If it is stored in one text editing app’s filestore, there is no way for another text editor to get to it. This is just plain ridiculous. The cool thing though? I’m posting this from my iPhone. Ok Apple…You’re forgiven…for now but my patience is wearing thin. Beauty will only get you so far. |
| USB Goodies 2008 [Room362.com] Posted: 15 Oct 2008 09:57 PM CDT EDIT: Switching something from “DRAFT” to “PUBLISH” is a really important step. Sorry guys. Let me preface all of these tools with, the fact that some don’t come “portable”. To make them so, I have dropped the installer / setup file into Universal Extractor and then cleaned up the directory.
|
| My Take On The Database Security Market Challenges [securosis.com] Posted: 15 Oct 2008 07:28 PM CDT Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble that analyst types get all hot and bothered about, when he dropped the bombshell- one of our favorite groups of products could be in serious trouble. For the record, we hadn’t started happy hour yet. Although everyone on the vendor side is challenged by such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal. Since I’m about to head off to San Diego for a Jimmy Buffett concert, I’ll try to keep this concise.
There are a few ways to navigate through this, and the companies that haven’t aggressively adjusted their strategies in the past few weeks are headed for trouble. I’m not kidding, I really hated writing this post. This isn’t an “X is Dead”, stir the pot kind of thing, but a concern that one of the most important linchpins of information-centric security is at risk. To use Adrian’s words:
-Rich |
| PaulDotCom Security Weekly - Episode 126 Part II - October 9, 2008 [PaulDotCom] Posted: 15 Oct 2008 03:37 PM CDT Paul and Larry are in the studio with special guest Ed Skoudis!
 Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian Email: psw@pauldotcom.com Audio Feeds: |
| Trade names in Extended Validation SSL Certificates [Tim Callan's SSL Blog] Posted: 15 Oct 2008 03:19 PM CDT As I discuss EV SSL with a variety of online businesses, one question I get a lot is about the name that appears adjacent to the address bar in compatible browsers. The question goes something like this, "We do business under the well-known brand of HipCoolStuff, but our company is actually called Old Stodgy Holding Corporation. We don't want the Old Stodgy name on our Web site. Nobody knows us by that name, and it's not the brand identity we choose to present to the public. What can we do about that?"
|
| In my opinion... [IT Security: The view from here] Posted: 15 Oct 2008 01:46 PM CDT It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with. I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow... HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm. I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here. Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read? How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it? I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe? I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap. I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :) |
| Will Database Security Vendors Disappear? [securosis.com] Posted: 15 Oct 2008 11:02 AM CDT Rich and I got into a conversation Friday about database security, and the fate of vendors in this subsegment, in light of recent financial developments. Is it possible that this entire database security sub-market could vanish? Somewhat startled by the thought, we started going down the list of names, guessing who would be acquired, who was profitable, and who will probably not make it through the current economic downturn without additional investment- it seems plausible that the majority of today’s companies may disappear. It’s not just that the companies’ revenue numbers are slowing with orders being pushed out, but the safety blanket of ready capital is gone, and the vendors must survive a profitability ’sanity check’ for the duration of the capital market slowdown. And that becomes even harder with other factors at play, specifically: Trust. The days of established companies trusting the viability of small security startups are gone. Most enterprises are asking startups for audited financials to demonstrate their viability, because they want to know their vendors will be around for a year or two. Most start-ups’ quarterly numbers hinge on landing enterprise clients, with focused sale and development efforts to land larger clients. Startup firms don’t keep 24 months of cash lying around as it is considered wasteful in the eyes of the venture firms that back them, and they need to use their money to execute on the business plan. As most startups have financials that make public company CFOs gasp for breath, this is not a happy development for their sales teams or their VCs alike. Breadth of function. Enterprises are looking to solve business problems, and those business problems are not defined as database security issues. Enterprises customers have trended towards purchase of suites that provide breadth of functions, which can be mixed and matched as needed for security and compliance. The individual functions may not be best of breed, but the customer tends to get pieces that are good enough, and at a better price. Database security offers a lot of value, but if the market driver is compliance, most of vendors offer too small a piece to assure compliance themselves. Too many choices. I do this every day, and have been for almost 5 years. It is difficult to keep up with all the vendors- much less the changes to their offerings and how they work- and get an idea of how customers perceive these products. Someone who is looking at securing their databases, or seeking alternative IT controls, will be bombarded with claims and offerings from a myriad of vendors offering slightly different ways of solving the same security problems. For example, since 2004 (or their more recent inception) I have been tracking these companies on a regular basis: Application Security Inc. And to a much lesser extent: Phulaxis For DB security product vendors, there are just too many for a $70-80M market subsegment, with too large a percentage of the revenue siphoned off by ancillary technologies. Granted, this is just my list, which I used to track for new development; and granted, some of these firms do not make the majority of their revenue through sales of database security products. But keep in mind there are a dozen or so IDS/SIM vendors that have dabbled in database security, as well as the database vendors’ log analysis products such as Oracle’s Audit Vault and IBM’s AME, further diluting the pool. There have been services companies and policy management companies who all have claimed to secure the database to one extent or another. Log file analytics, activity monitoring, assessment, penetration tests, transactional monitoring, encryption, access control, and various other nifty offerings are popping up all the time. In fact we have seen dozens of companies who jump into the space as an opportunistic sortie, and leave quickly once they realize revenue and growth are short of expectations. But when you boil it down, there are too many vendors with too little differentiation, lacking implicit recognition by customers that they solve compliance issues. Database security has never been its own market. On the positive side it has been a growing segment since 2002, and has kept pace almost dollar for dollar with the DLP market, just lagging about a year behind. But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those who earn most of their revenue from other products or services may be immune, but DB security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire sales, or bankruptcy, depending upon how and when they act. Rich will give his take tomorrow, but although both of us believe strongly in the value of these products, we are concerned that the combination of market forces and economic conditions will really hurt the entire segment. -Adrian |
| Posted: 15 Oct 2008 06:12 AM CDT Jack Wallen takes a challenge head on with his post on questions you need to ask before moving to Linux. I love Linux myself, but that does not mean that I have migrated all my systems. I run several systems on Linux, and I have clients doing the same. Still I find it useful to run Windows on many occasions, and more importantly, I have a few situations where I have no choice but running Windows. One such situation is a booking platform for one of my customers. The platform itself is developed using Java, and is remotely hosted. The platform developer has not bothered to port the solution to Linux (or anything else, for that matter), even considering it should be an easy task. Of course, most of their customers are not aware that there are alternatives to Windows, but this very client would actually prefer to run their workstations on Linux. (Yes, I know we could use Wine etc, that is not an alternative atm). For this very customer, Linux would be a great choice because it would enable us to harden the system in order to stop users messing about and installing malware etc. But, due to the booking system, their computers will keep running Windows XP with full administration rights for every user. Duh. Technorati Tags: Linux, Windows |
| Security policy being bypassed by employees, survey finds [Vincent Arnold] Posted: 15 Oct 2008 12:11 AM CDT By Robert Westervelt, News Editor Many companies have security policies and procedures in place, but the results of a recent survey found that employees are bypassing many of them, bringing sensitive data home with very few protections. In many cases, companies are struggling to find the right balance between strict security requirements and employee productivity as more employees work at home. Encryption and other security technologies are available, but some firms are accepting the risk and some may be unaware that end users are bringing customer data, personally identifiable information or company financial data home with them on laptops, smartphones and Universal Serial Bus (USB) flash drives. |
| Grecs’s Infosec Ramblings for 2008-10-14 [NovaInfosecPortal.com] Posted: 14 Oct 2008 11:59 PM CDT
|
| Federal IA Conference Infosec Event [NovaInfosecPortal.com] Posted: 14 Oct 2008 10:41 PM CDT FBC announced this year’s Federal IA Conference infosec event a while back. Here are the logistics for this year’s conference:
For more information on the Federal IA Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See FBC’s Federal IA Conference site for more information. |
| Posted: 14 Oct 2008 10:10 PM CDT Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. If you plan on attending, RSVP to Jeremy Epstein so they can get your badge processing started.
For more information on the OWASP - VA Local Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup. |
| Posted: 14 Oct 2008 09:39 PM CDT Here is some information regarding this week’s Thursday ISSA - NoVA Chapter infosec meetup event.
For more information on the ISSA - NoVA Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup. |
| Phishing adapts to use financial meltdown to its advantage [Tim Callan's SSL Blog] Posted: 14 Oct 2008 05:15 PM CDT We know that the practice of phishing, when done effectively, involves surprising the victim, taking him out of his normal context, and creating a sense of urgency through fear. What better opportunity to use all three of these principles than by sending phishing e-mails that are hand-crafted with the current financial crisis in mind. WashingtonPost.com's Brian Krebs gives us a great summary of some of the new attacks the prey on targets' financial concerns. |
| A (Tentative) Wish-List for a Better, More Secure, Web Browser [Security Provoked] Posted: 14 Oct 2008 04:28 PM CDT Web browsers are where the client machine rubber meets the Web server road. So it stands to reason that strong Web browser security is paramount—far more effective than relying on thousands of Web application/ plug-in developers to write more secure code. There are definitely some browser developers that are making strides in the right directions, but none of them are quite there yet. I’m still thinking through this, but if I were writing my wishlist for a more secure Web browser today (and, well… I am) then here’s what it would be: 1. It has to work. This is absolutely the most important piece of the puzzle. The trouble is, the most effective ways browsers have thusfar come up with to improve security also cause some truly damaging impacts on performance. 2. It has to be built like a platform, not like a singular application. Once upon a time, the Web was a series of static pages, and the Web browser was an application that let you find and view those static pages. Times have changed, however, and now the browser itself plays host to many rich, Web-based applications. Thus, browser development should be treated more like operating system development. Some browsers–Google Chrome, principally–are beginning to make strides in this direction. (As my fellow CSIers, Kristen Romonovich and Robert Richardson, said from the get-go, Chrome is more a Windows competitor than it is an Internet Explorer competitor.) 3. It needs a modular–not monolithic–architecture. In a modular architecture, the browser is divided into at least two components–generally speaking, one that interacts with the client machine, and one that interacts with the Web and operates from within a sandbox. The main benefit is that it’s a great defense against drive-by malware downloads. If an attacker compromises the Web-facing component of the browser, they won’t automatically gain full access to the client machine with user privileges. They’ll only gain access/privileges to whatever the Web-facing component needs. Internet Explorer 8 (beta) and Google Chrome (beta) use modular architectures. The OP Browser still in development by researchers at the University of Illinois uses a more granular modular architecture that splits the browser into five components. Yet monolithic architectures are used by all the major browsers today. (Monolithic architectures are kind of like real-estate brokers who represent both the buyer and the seller–you just can’t quite trust them.) 4. It has to support some sort of process isolation. In essence, isolating processes means that when one site/ object /plug-in crashes, it doesn’t crash the entire browser. 5. Its security policies cannot rely heavily on the user. Average users should not be expected to understand the intricacies of privacy and security settings. They shouldn’t be expected to dig into their Internet options, flip JavaScript on and off and on and off again, disable plug-ins, delete nefarious cookies, or anything else. 6a. It’s got to figure out how to securely handle plug-ins. The troubles with plug-ins are that they tend to run as one instance–so process isolation doesn’t really work with them–they’re given unchecked access to all the browser’s innards, and they tend to assume/require the user’s full privileges. In order to allow plug-ins to run properly, Chromium (the modular, open-source Web browser architecture used by Google Chrome) runs them outside of the sandbox, and with the user’s full privileges–so the browser can’t do anything to save the user’s machine from malicious downloads through an exploited plug-in. The OP Browser has some very innovative ways of handling plug-ins. Rather than using the Same Origin Policy–which prohibits scripts and objects from one domain from accessing/loading content (scripts/objects) from another domain–the browser applies to plug-ins a “provider domain policy,” in which the browser can label the Web site and the plug-in content embedded in that Web site with separate origins. The plug-in’s origin will be the domain that’s hosting the plug-in content, which is not necessarily the same as the domain of the page you’re viewing. (So if you were here on GoCSIBlog.com and I’d embedded an Adobe Flash media file from YouTube, the OP browser could recognize the page’s origin as GoCSIBlog.com and the Flash file’s origin as YouTube.com.) The benefit here is that you can add a site to your “trusted” list–thereby allowing plug-ins and allowing any plug-in content that originates from that trusted site–without needing to allow plug-in content that is running on the trusted site but originates from untrusted sites. This greatly mitigates the risks of cross-domain plug-in content… however a) there are some cases where this policy will prevent plug-ins from operating properly and b) as Robert Hansen, CEO of SecTheory pointed out to me, the primary vector for cross-domain content attacks (XSS, CSRF) is JavaScript, not plug-ins. Yet, browsers (the OP browser included) continue to apply the same origin policy to JavaScript, and there are many JavaScript-based attacks–JavaScript hijacking, for example–that sidestep the same origin policy. The trouble is, none of the browser companies have really figured out yet how to securely handle JavaScript in a way that doesn’t disrupt one’s browsing experience and/or require security-savvy action from users. The NoScript plug-in for Firefox is a good tool, but a) it’s not a standard Firefox feature, and b) it’s a bit advanced for the average user. Other browsers allow you to simply disable JavaScript, but doing so means the user won’t be able to enjoy some of the fun, quintessentially Web 2.0 things the Internet now has to offer. Further, JavaScript is automatically enabled on any sites on the user’s “trusted” list, so malicious JavaScript on a legitimate site continues to be a problem. Web browsers’ inability to elegantly handle JavaScript-related threats, is a big problem, because it means that we all must rely upon the individual Web site developers to keep their sites free of cross-site scripting flaws and cross-site request forgery vulnerabilities. Part of the trouble may be that currently available rendering engines, used for parsing HTML and executing JavaScript, are error-prone and written in generally insecure languages. (So if you’re a young researcher, maybe “Creating a more secure HTML rendering engine” would make a good thesis project. Pretty please?) I’m still thinking some of this through, so do let me know if you disagree, see errors in my judgment, or think something else should be on this list. Also: should one browser be expected to do everything? How likely are you (and your users) to use one browser for everyday activities and another browser for more delicate activities? We’ll be devoting the next issue of the Alert–CSI’s members-only publication–to browsers and other elements of client-side Web security issues. We’ll also be discussing some of during the CSI 2008 conference next month. Tuesday, Nov. 18 Gunter Ollmann of IBM-ISS will present a full 60-minute session on “Man-in-the-Browser Attacks,” and, also on Tuesday, browser security will be discussed during the Web 2.0 Security Summit, moderated by Jeremiah Grossman (CTO, WhiteHat Security) and Tara Kissoon (Director of Information Security Services at VISA, Inc.). |
| You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment