Posted: 31 Oct 2008 05:48 AM CDT
Posted: 31 Oct 2008 05:41 AM CDT
Posted: 31 Oct 2008 05:19 AM CDT
Image via Wikipedia
Looks like McAfee is going to need a new addition to the ePO uber-suite. They need something to plug the back door of their own marketing machine! It seems a product marketing manager at the security firm and her husband steered about 3.8 million dollars to firms that they had a financial interest in. They were arrested and charged according to this article. I guess the (in)famous Total Protection Suite didn't have an anti-marketing rip off module or maybe it just wasn't up to date ;-)
Seriously it just goes to show that you can have all of the security technology and safeguards you want. People are still the greatest threat!
Posted: 31 Oct 2008 04:59 AM CDT
Image via Wikipedia
The Security Bloggers Network (SBN) is pleased to announce that the Computer Security Institute (CSI) and the SBN will be promoting and participating in this years annual CSI conference, Nov 15-21 at the Gaylord National in the Washington, DC area. The CSI show is always one of the biggest security events of the year with a full program of sessions and large exhibit.
The SBN with over 185 member blogs, is the largest aggregated feed of security blogs in the world. The folks at CSI recognizing the power and influence of blogs in the media have asked us to help promote the event and invited SBN members to attend as press. Additionally the good folks of CSI have allowed us to make available some benefits to our readers as well:
1. If you would like to attend the conference you can receive a 25% discount by using our special code: BLOG25
2. I have one full boat conference pass. That is right for the entire conference including sessions! This is over a 2,000 dollar value. I will be awarding it to the person who comments on this post with the best and most interesting story on how attending security conferences such as CSI have helped you in your security related job. Just leave a comment with your award, but be sure to leave an email for me to contact you. I will pick one person by next Wed.. Good luck!
It is good to see the SBN getting this kind of coverage. I am looking forward to attending CSI this year and hope to see you there!
Posted: 31 Oct 2008 02:27 AM CDT
.... to my ADSL application.
Last year in October a salesperson at Telkom phoned to let me know that my phone exchange supports ADSL and do I want to upgrade my line to have ADSL?
I did the maths and worked out that it would be cheaper for me to have ADSL and have the benefit of all-time-on access to the Internet.
So, I applied and a few days later my application was processed and I had an application number. It all got to the point where I had the modem connected and ready when a technical person at the exchange noticed that "no, the exchange is potentially ready for ADSL but was not, in fact, ready."
"But, good news, there is a project to upgrade the exchange to be ADSL capable. It should be done by latest end of December 2007."
That became end of January, end of February, end of April... then it jumped to end of June.
Now it is scheduled to be completed by the end of April 2009.
The way things are looking - I'll probably be celebrating the second birthday of my ADSL application this time next year... many happy returns.
Posted: 31 Oct 2008 12:34 AM CDT
There are quite a few similarities between configuring a Cisco switch and a Foundry switch. There are at least two areas though where they are similar yet very, very different: link aggregation and frame tagging.
Let’s hit link aggregation first. In Cisco’s world its called “etherchannel.” In Foundry’s world its called “trunking.” Configuration wise Foundry’s trunking is much simpler than creating an etherchannel. Seems easy enough…until you get into frame tagging.
Now let’s hit frame tagging. Cisco uses the term “trunking” for links that carry multiple VLANs. Wait a minute…we just talked about “trunking” and it had nothing to do with frame tagging. VLAN Trunking Protocol (VTP) is the vehicle in which all VLANs are managed across a switched network. VTP roles (server, client & transparent) make it so VLANs can all be created on a switch with the “server” role which will then advertise every VLAN to switches that are trunked in the same VTP domain. In Foundry’s world they tackle frame tagging with a much more sensical term, “tagged.” Essentially any uplink connection to another switch is a “trunk” in Cisco speak but you have to specify which VLANs should be “tagged” across the uplink. The big downfall of this is that every VLAN must be created on every switch and then must be specifically tagged to flow across the uplink connection. This obviously is more configuration intensive than Cisco’s VTP.
The lesson here is when in a mixed environment choose your words carefully. If you have your Cisco hat on and you are talking about trunking somebody else might have their Foundry hat on and think you are talking about link aggregation.
Posted: 31 Oct 2008 12:29 AM CDT
I'm afraid it's come to this, Simon.
It occurs to me that the only way we can settle our debate to finality is via mortal combat.
I'm calling you out:
What: Sumo Suit VirtSec Smackdown (how Xen/Zen!)
Who: Simon Crosby vs. Chris Hoff
Where: RSA 2009, Moscone Center, San Francisco, Venue TBD
When: During the April 20-24th, 2009 timeframe
Why: You know why...
Wow: This will be a charity event with the proceeds going to Johnny Long's Hackers for Charity which you can find out about here.
You wouldn't want to let down the community now would you Simon?
See you in San Francisco...
UPDATE: Simon is THE man! He's accepted the battle. We'll have an all-star panel of judges and Dan Kaminsky has agreed to referee. Winner gets grandma's cookies! w00t!
Posted: 30 Oct 2008 10:45 PM CDT
Simon Crosby and I have been going 'round a bit lately arguing the premise of where, why, when, how and how much security should be invested by either embedding it in the virtualization platform itself or being addressed by third parties.
Simon's last sentence in his latest riposte titled "Hoff is Still Confused" was interesting:
Re-reading Hoff's posts, I find that I agree with him in just about every respect in his assessment of the technology and its implications, and I think we're doing exactly as he would recommend, so I'll be interested to hear if he has more to say on this
Well, how the hell am I supposed to argue with that!? ;) OK, now I am confused! Simon's taken the high road and thus I shall try to do so, too. I wrote a ton more in response, but I'm not sure anybody cares. ;)
All told, I think we're both aiming at a similar goal in spite of our disparate approaches: achieving a more secure virtualized environment.
But seriously, I don't think that I'm confused about Citrix's position on this matter, I just fundamentally disagree with it.
I feel strongly that Simon and I really are on different sides of a religious issue but without a more reasonable platform for discussion, I'm not sure how we'll intelligently discuss this more coherently without all the back and forth. Perhaps a cage match in sumo suits!?
I appreciate Simon clarifying his position and reaching out to ensure we are on the same page. We're not, but the book's not closed yet.
So we agree to disagree, and I respect Simon for his willingness to debate the issue.
Posted: 30 Oct 2008 02:15 PM CDT
I wonder if you might help me.
I operate an e-commerce Internet-based business that processes and stores cardholder data.
I need a QSA to assess my infrastructure and operations for PCI/DSS compliance.
Oh, I forgot to mention. All my infrastructure is in the cloud. It's all virtualized. It runs on Amazon's EC2. All my data is hosted outside of my direct stewardship. I don't own anything.
Since the cloud hides all the infrastructure and moving parts from me, I don't know if I meet any of the following PCI requirements:
A friend told me about section 12.8, but it doesn't really apply because the "service" provider just provides me cycles and storage, I run the apps I build but I don't see any of the underlying infrastructure.
Also, I have no portability for BCP/DR because my AMI only runs on the Amazon cloud, nowhere else. I don't know who/how backups are done outside of my manifest.
I'm sure we could ask though, right?
However, this is the quandary we're facing with virtualization and cloud computing. In terms of the companies that hire these PCI compliance experts, the assessment methodology/requirements are predicated upon a "standard" that continues to be out of touch with the economic and technological world around it. That's not the experts' fault, they're scoring you against a set of requirements that are black and white.
As companies try and leverage technology to be more secure, to transfer risk, to focus on the things that matter most and reduce costs -- if you believe the marketing -- It's really a no-win situation.
The PCI Security Standards Council doesn't even have a SIG for virtualization and yet we see the crushing onslaught of virtualization with no guidance and this tidal wave has been rushing at us for at least 3-5 years. If you believe the uptake of cloud computing, we're blindly hurdling over the challenges that virtualized internally-owned infrastructure brings and careening headlong down a path to cloud computing that leaves us in non-compliance.
The definition of what a "service provider" means and how they interact with the cardholder data companies are supposed to protect needs to be redefined.
It's time the PCI Council steps up and gets in front of the ball and not crushed by it such that the companies that would do the right thing -- if they knew what that meant -- aren't punished by an out-of-touch set of standards.
Posted: 30 Oct 2008 01:26 PM CDT
NCA's 2008 Security and Technology Conference was yesterday and Carlos Dominguez of Cisco opened the day with a high energy presentation that set a very high standard. I was pleased with the interest in my afternoon presentation on TJX, which was well attended.
The TJX data breach is worth following for two reasons. One is simply the mind boggling scale of compromising 45 million cards and nearly half a million identities over a period of years. Another is the demonstration of some great IT security precepts that everyone can learn from. In my presentation I give an overview of the American hackers who broke into the TJX network, the Eastern European and Chinese carders who facilitated the trading of the stolen cards, and the money mules in Miami who were caught using the cards.
The most important lesson of TJX is the simplest one - protect customer data at all costs, because once the genie has escaped from the bottle, it’s too late. I’ll look at distilling some of the presentation points into a blog post in the future.
I also touched on the recent UK ‘chip and pin’ compromise which relied on physically compromising the point of sale hardware, possibly at the point of manufacture in China, and then siphoning card data wirelessly to a site in Pakistan. There was lively feedback from the audience, and some great questions. One person related the UK POS hardware compromise with the recent discovery of gray market networking hardware in the US. This was an angle I hadn’t considered, and the sophistication of the UK POS breach shows grey market hardware is a potential opportunity for cybercriminals to further penetrate corporate networks.
Napera had a booth at the conference and it was great to catch up with customers and industry folks. We’ve been working with Tom Gobeille and his team at NCA in Washington, Oregon and California since we first launched the Napera N24 and yesterday’s gathering demonstrated NCA’s technology and service leadership in the Pacific Northwest.
ChrisB and Jason talking to a customer at the NCA conference.
Posted: 30 Oct 2008 12:42 PM CDT
$ sudo emerge -C gelmini :-)
This posting includes an audio/video/photo media file: Download Now
Posted: 30 Oct 2008 12:35 PM CDT
Posted: 30 Oct 2008 10:34 AM CDT
Matt Olney, Alain Zidouemba and Lurene Grenier of the Sourcefire VRT have collated their analysis of the DCE/RPC vulnerability announced in Microsoft Security Bulletin MS08-067. A white paper that discusses this issue is now available on snort.org at the following address: http://www.snort.org/vrt/docs/white_papers/ As always, we do not require any kind of form to be filled in, nor do we ask
Posted: 30 Oct 2008 08:18 AM CDT
I figured that scareware (software that creates pop-ups telling you your computer is infected and can be cleaned for just $49.95) paid, otherwise organized crime wouldn’t be involved. But I hadn’t realized how well; according to the NYT, Bakasoftware made over $5 million last year selling their own software. Two things I thought was interesting is that the software uninstalls itself if the owner of the computer is a Russian speaker (Bakasoftware is a Russian company). The second thing, which may just be coincidence, is that ‘baka’ is Japanese for fool or idiot. It’d make sense for a scareware company to name itself “Idiot Software”. And yes, I’ve been watching too much anime lately.
Posted: 30 Oct 2008 07:24 AM CDT
I will be previewing one S4 2009 paper each week. Digital Bond’s SCADA Security Scientific Symposium is Jan 21-22 in Miami Beach with an advanced control system security course on Jan 20th.
Last week’s preview focused on physical layer vulnerabilities in IEEE 802.15.4, the protocol underlying Zigbee, ISA 100, WirelessHART and other protocols being considered and deployed in control systems. This weeks preview is a companion paper that focuses on IEEE 802.15.4 implementation errors at the data link layer. The two papers lead off S4 Day 2 and should be a very interesting pair.
Low Level Design Vulnerabilities in Wireless Control System Hardware
The IEEE 802.15.4 protocol can suffer from hardware and software implementation vulnerabilities like any other protocol implementation even if the underlying protocol is vetted and considered secure. In this paper the authors, Bradley Singletary and Darren Highfill of EnerNex and Travis Goodspeed of UT/Knoxville, analyze 802.15.4 hardware and firmware implementations for vulnerabilities and resistance to attacks. Since popular hardware and firmware implementations of low layer protocols are often used in multiple vendor implementations, this work could have widespread ramifications.
Topics in the paper and presentation will include design induced vulnerabilities such as the extraction and modification of communications device firmware, man-in-the-middle attacks between chips of a communications devices, circumvention of protection measures, bus snooping, and other attacks. This abstract has me eagerly awaiting the full paper.
Posted: 30 Oct 2008 12:00 AM CDT
Posted: 29 Oct 2008 11:03 PM CDT
I did my first “spin” class tonight. Holy cow am I wishing I hadn’t done that about now. The first 20 minutes I was cruising right along but then it started going downhill fast. By minute 35 I wanted to pick the bike up and throw it at the instructor. The last ten minutes I couldn’t stand while riding for more than 15 seconds. I’d look around and see a small kid, probably 12 or 13, pedaling along like it was nothing. Behind him was a women at least 40 and probably closer to 50 able to do what I couldn’t. Boy did I feel like a pathetic turd. I thought for sure my heart was going to jump out of my chest during the last “climb.” I was struggling so hard that I couldn’t follow instructions in a timely manner. The instructor would bark out “up” and by the time I was up she was yelling “down” so for the last 3 minutes of the ride I was up when everyone else was down and they were all up when I was down. Rode 17.5 miles in 50 minutes…a real ass kicker. If you asked me right now I’d rather be punched in the face than do another spin class. 4 to 1 odds that I make the same stupid mistake next Wednesday.
Posted: 29 Oct 2008 06:06 PM CDT
VizSec is a fairly academic conference that brings together the fields of security and visualization. The conference had an interesting mix of attendees: 50% came from industry, 30% from academia, and 20% from government. I had the pleasure of being invited to give a talk about DAVIX and also participate on a panel about the state of security visualization in the market place.
I completely agree and if you have seen me talk about the dichotomy, I outline a number of examples where this becomes very obvious.
Visualization is about how to present data. I am not always sure that people understand that.
Posted: 29 Oct 2008 04:14 PM CDT
The VeriSign Identity Protection Network allows consumers to use a single security device to authenticate themselves across any VIP-enabled Web site. So it's easier for all of us to stay safe online by integrating two-factor authentication into our online routine.
"Before I started using my token, someone was breaking into my account every four to six weeks...I previously had to change my password constantly to keep others out of my account, but since I started using the PayPal Security Key, I haven't had to change it once."At the eBay Live! event this past June, we surveyed 689 attendees about their experiences with the PayPal Security Key (a VIP token).
• A third of respondents said they use the PayPal Security Key
• Nearly three-quarters of users said that their PayPal key is easy to use.
Most respondents said they wanted to enjoy VIP protection with a variety of services - including online banking, shopping, gaming and stock trading - while nearly half hoped to use their token to access health care services. We're hoping we can help make those requests a reality.
Posted: 29 Oct 2008 04:03 PM CDT
Posted: 29 Oct 2008 03:42 PM CDT
EstDomains, a domain name registrar with a reputation for catering to cyber criminals, suffered another blow after the organization that oversees the net's address system said it would revoke the company's right to sell domain names because of a recent fraud conviction in Estonia of its president. In a letter addressed to EstDomains President Vladimir Tsastsin, an official with the Internet Corporation for Assigned Names and Numbers said EstDomain's registrar accreditation would be revoked on November 12. –Notorious registrar gets deactivation notice for president's sin
Posted: 29 Oct 2008 03:34 PM CDT
Just to underline once more that Italian MPs don't know absolutely anything about the Internet, here is a proposal by MP Luca Barbareschi, a former actor and TV show host, to combat piracy. Barbareschi proposes to mandate an Internet identity card to access the net. This is a wonderful idea, I wonder why the IETF didn't think about it in the first place.
Posted: 29 Oct 2008 02:28 PM CDT
Gunnar just hit a home run responding to John Pescatore's one line, twelve word summarization of how to measure a security program's effectiveness. Read Gunnar's post in it's entirety but here's the short version:
The best security program is at the business with the happiest customers.
There's a fine line between happy customers and playing piano in a bordello.
The best security program is at the business with sustainable competitive advantage.
The best security program is at the business that is, itself, sustainable.
It's hard enough to derive metrics that adequately define a security program's effectiveness, value, and impact on risk. Balanced scorecard or not, the last thing we need is the introduction of a satisfaction quotient that tries to quantify (on a scale from 1-10?) the "warm and fuzzies" a customer enjoys whilst having their endpoint scanned by a NAC device before attaching to your portal... ;)
I understand what John was shooting for, but it's like suggesting that there's some sort of happiness I can achieve when I go shopping for car insurance.
Posted: 29 Oct 2008 02:04 PM CDT
As you know, I've been making a policy of measuring the effect of EV SSL Certificates (and therefore green address bars) on visitor behavior at various types of Web sites. One area that's been underresearched is online banking. I'm pleased to tell you that yesterday VeriSign announced the first such measurement on an online bank.
Posted: 29 Oct 2008 01:35 PM CDT
The choice in this election is between a small or large left-ward shift. McCain is a moderate Republican, Obama is a radical Democract. A bigger issue than the candidate is the Democrat-controlled congress. Our country was designed with the idea of checks and balances, but this system breaks down when the same party controls both the presidency and congress. Our country has prospered most when difference parties controlled these two branches of government.
Technology regulation is the biggest concern for us. McCain is famously over a hundred years old and has never sent an e-mail. Yet, Obama is not much better. Whereas neither candidate knows much about computers, McCain has extensive experience in telecoms regulation. It is here where McCain has demonstrated a greater understanding of the Internet and its history.
Obama has frequently described the Internet as something created by the government. In contrast, McCain watched the Internet evolve from its infancy. McCain remembers how the over-regulated telecommunications industry failed to innovate. He also remembers that the government did indeed design an Internet known as "GOSIP", and that this alternative Internet failed. McCain knows that today's Internet was designed not by government nor by corporations, but by mavericks that opposed both.
A test of the candidates' desire to regulate is "Net Neutrality". Obama sees this as government protecting the people. McCain sees this as yet another example of the type of overregulation that destroys innovation. What concerns McCain is that Net Neutrality laws protect business interests, giving power to those at the "ends" of the network (like search monopoly Google) over those providing Internet service (like AT&T). McCain is concerned with the fact that Google has spent millions lobbying congress to pass Net Neutrality legislation. McCain is worried about the way Google has hired former FCC employees and Internet luminaries to do its lobbying, exactly the sort of Washington cronyism that has stifled telecommunications for the last 30 years.
Government regulation cannot fix cybersecurity. There is a myth that some sort of "magic pill" will solve all security problems, and that government should just force everyone to take this "magic pill". This "magic pill" doesn't exist. If it did, everyone would have taken it already. No such pill will ever exist. Security is a tradeoff - each gain in security requires sacrificing something else. Different people want different tradeoffs and therefore different solutions (and different risks). Government regulation forces a one-size-fits all set of tradeoffs. We want less government regulation in cybersecurity. We want people to choose tradeoffs and risks for themselves.
The state of the art of hacking and defense changes faster than government regulators can keep up. Today's compliance issues were based on a model where hackers attacked "server" vulnerabilities. Now hackers target mostly "client" vulnerabilities, and those regulations are out of date. Regulatory compliance is forcing companies to keep their focus on the old threat rather than addressing these new threats.
Government regulation is corrupt. Laws are heavily influenced by lobbyists. Companies have cozy relationships with auditors that allow them to pass compliancy checks while having little or no security.
McCain is not our perfect candidate in regards to Internet regulation, but he is much better than Obama and the Democrat-controlled congress.
Economics is our second concern. Entrepreneurs and small companies drive the innovation in our industry. Most cybersecurity innovations come from the United States because of our business-friendly climate.
Obama's tax plan hurts small cybersecurity companies. The majority of people we know work 80-hour weeks. Their spare time is spent reading technical books to keep their skills sharp. They quit their jobs at large firms in order to create an independent consultancy or create a new product company. It is this highly skilled, hard working professional that Obama proposes to tax in order to send welfare checks to unskilled laborers that don't work as hard. The cybersecurity professionals we know don't have time to watch much TV, the average American receiving Obama's checks spends 28-hours a week in front of the TV. This income redistribution is a strong disincentive to entrepreneurs. Why improve your cybersecurity skills, work hard, or take the risk with a startup if you cannot enjoy the rewards of doing so? This is a selfish point of view, of course, but a large reason we support McCain.
Security is a luxury. It is one of first things companies cut when profits decline, it is one of the first things they invest in when things get better. Obama's anti-business policies, such as trade protectionism we cut corporate earnings and reduce their investment in cybersecurity.
And, the issue of regulation comes up again. American's start their own business at a rate of 10 to 1 vs. Europe precisely because it's easy. In most other countries, it can take a year's wages and months of hard work just to get the business licenses needed to start a company.
We are also concerned with foreign policy. Many foreign countries, notably China and Russia, have policies that encourage their citizens to attack American cyberspace. While we are not happy with the current president's Texas-cowboy approach of attacking foreign countries, neither are we happy with Obama's stated strategy of appeasement. We prefer McCain's more moderate approach between these two extremes. As a side note, we suggest that the next government respond in kind - making it easy for our own citizens respond to these attacks.
Both candidates displease us on certain issues. Both candidates failed on the issue of the so-called "Patriot" Act and the recent FISA bill. Both candidates fail on the issue of intellectual property. Both candidates fail on the issue of free speech, although we worry more about the passage of a so-called "Fairness" Doctrine next year designed to curtail right-wing speech.
These issues are like the slavery debate 200 years ago. The issues are so integrated into society that many people cannot see their obvious immorality. We understand how our society is based upon the protection of property rights, and how intellectual property is a leading American expert, but this should not blind us to the obvious abuse of intellectual property.
In summary, we believe John McCain is the best candidate for cybersecurity. The next president will not help cybersecurity much. The most we can hope for is that they resist the urge to meddle in something that government does not understand, cannot understand, and which will ultimately be driven more by special interests than technical knowledge.
EDIT: This blog asks should security company's endorse a president? It suggests our inspiration comes from movie stars, but in reality it comes frm Google's endorsement of Obama. Why is the search/advertising monopoly allowed to endorse a candidate but not a small security consultancy?
Posted: 29 Oct 2008 01:28 PM CDT
Researchers Martin Vuagnoux and Sylvain Pasini recently released video demonstrating the ability to pull electromagnetic eminations from wired keyboards. Both videos show how various configurations of standard keyboards could have keystrokes intercepted through the air.
Many of us have heard of the old TEMPEST project that was made famous by their demonstration of the ability to intercept the data that would be displayed on Cathode Ray Tube monitors. Imagine having someone sit outside your office or home and being able to see on their monitor the very same things you are looking at on yours.
I wonder how many more corporate scandals would hit the press if this happened regularly.
Now it appears that simply typing your passwords or authentication information on a keyboard could expose them to the world at large. If you never worried about using password only authentication to protect data, you definitely should now.
The truly scary piece for me is that now that this has been demonstrated, any attacks that we see will probably be narrowly focused and targeted. Security controls in most corporations are not designed to withstand such an attack. These attacks will single out individuals—an attack method that is widely successful.
An additional factor of authentication such as a One Time Password might be able to stave off an attack, at least when it comes to leaking valid credentials to an attacker. Then again, depending on the method, it might not be able to do that.
I'd be interested to see if someone could direct a signal at a machine to insert characters into the computer remotely. Wouldn't that be wicked?
Posted: 29 Oct 2008 12:25 PM CDT
I talk about it all the time: the most important thing that you must do for your career is branding your name. Your “Personal Brand” IS your career.
I happened upon an interesting thought exercise for branding when talking with Melina the other day. We were talking about her business, and I asked the following question:
“What problem do you want your clients to have when they think of your name?”
That’s an incredibly powerful way to conceive of branding. It speaks to all elements of what a brand is - what you’re an expert on, what you’re known for, and how you help your clients on a daily basis.
This is true whether you’re branding a business or developing your personal brand. Change it around for personal branding:
What problems do you want your boss/peers/colleagues to have when they think about calling you?
Posted: 29 Oct 2008 12:12 PM CDT
Hat-tip to David Marshall for the pointer.
In what can only be described as the natural evolution of Xen's security architecture, news comes of a Xen community project to integrate a VM Introspection API and accompanying security functionality into Xen. Information is quite sparse, but I hope to get more information from the project leader, Stephen Spector, shortly. (*Update: Comments from Stephen below)
This draws naturally obvious parallels to VMware's VMsafe/vNetwork API's which will yield significant differentiation and ease in integrating security capabilities with VMware infrastructure when solutions turn up starting in Q1'09.
From the Xen Introspection Project wiki:
The purpose of the Xen Introspection Project is to design an API for performing VM introspection and implement the necessary functionality into Xen. It is anticipated that the project will include the following activities (in loose order): (1) identification of specific services/functions that introspection should support, (2) discussion of how that functionality could be achieved under the Xen architecture, (3) prioritization of functionality and activities, (4) API definition, and (5) implementation.
Some potential applications of VM introspection include security, forensics, debugging, and systems management.
I wonder if we'll see XenAccess fold into the VMI Xen project?
Astute readers will also remember my post titled "The Ghost of Future's Past: VirtSec Innovation Circa 2002" in which I reviewed work done by Mendel Rosenblum and Tal Garfinkel (both of VMware fame) on the LiveWire project which outlined VMI for isolation and intrusion detection:
What's old is new again.
Given my position advocating VMI and the need for inclusion of this capacity in all virtualization platforms versus that of Simon Crosby, Citrix's (XenSource) CTO in our debate on the matter, I'll be interested to see how this project develops and if Citrix contributes.
Microsoft desperately needs a similar capability in Hyper-V if they are to be successful in ensuring security beyond VMM integrity in their platform and if I were a betting man, despite their proclivity for open-closedness, I'd say we'll see something to this effect soon.
I look forward to more information and charting the successful evolution of both the Xen Introspection Project and XenAccess.
Update: I reached out to Stephen Spector and he was kind enough to respond to a couple of points raised in this blog (paraphrased from a larger email):
Bryan Payne from Georgia tech will be participating in the project and there is some other work going on at the University of Alaska at Fairbanks. The leader for the project is Stephen Brueckner from NYC-AT.
Sounds like the project is off to a good start!
Posted: 29 Oct 2008 11:50 AM CDT
This is in response to my buddy Alex Hutton's blog post titled "Cloud Computing - Stormy Weather?"
If you took a poll
I'd bet the dough in my pocket
not one could agree
on the relative impact
it will have on IT
with the moving parts hid
whatever you call it
its adoption is brisk
but like most "innovation"
we've forgotten 'bout risk
Cloud computing's a trade off
Be sovereign or efficient
I guess it depends
on where you think you're proficient
Some things are ripe to be cloudy
Others? Not so much
Some things we'll let go of
others tightly we'll clutch
Most companies I know
manage risk with their gut
when new tech comes along
they're still mired in that rut
So security gets blamed
for standing in progress' way
yet we're stuck with defending
C, I and A
We need to be agile
but oh yeah, compliant
Though the potential for loss,
means our exposure is giant
Cloud advocates say
Amazon's never been breached
so we can trust that our data
will never be leached?
We've got wares as a service,
Web 2 dot 0, SOA
'lastic clouds, fuzzy storage
It's the future, some say
But I can't help but think
the handwaving's distracting
from the uncomfortable truths
of what this is impacting
We can't even manage
the stuff that we own
yet we're willing to outsource
where our assets call home?
We don't classify data,
can't control where it goes
but we'll transfer our risk
to someone nobody knows?
Diguising marketing efforts
as tech. innovation
and suggesting that insight
will spur risk ideation?
Create efficient operations?
Those are quite lofty goals,
They can't solve real problems
so a new one's created
to distract from the point
that we're being masturbated
I'm all for the cloud
been doing it for years!
Got a real game changer?
Hey man, I'm all ears.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|