Friday, October 31, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Los estudiantes italianos en Madrid, contra la nueva ley de educación [Security Circus]

Posted: 31 Oct 2008 05:48 AM CDT

Homer Simpson fights (and loses) against an electronic voting machine [Security Circus]

Posted: 31 Oct 2008 05:41 AM CDT

Homer Simpson fights (and loses) against an electronic voting machine

McAfee's newest security product plugs holes in marketing backdoors [StillSecure, After All These Years]

Posted: 31 Oct 2008 05:19 AM CDT

McAfee headquarters in Santa Clara.

Image via Wikipedia

Looks like McAfee is going to need a new addition to the ePO uber-suite.  They need something to plug the back door of their own marketing machine!  It seems a product marketing manager at the security firm and her husband steered about 3.8 million dollars to firms that they had a financial interest in.  They were arrested and charged according to this article. I guess the (in)famous Total Protection Suite didn't have an anti-marketing rip off module or maybe it just wasn't up to date ;-)

Seriously it just goes to show that you can have all of the security technology and safeguards you want.  People are still the greatest threat!

Reblog this post [with Zemanta]

The Security Bloggers Network and CSI conference [StillSecure, After All These Years]

Posted: 31 Oct 2008 04:59 AM CDT

Computer Security Institute

Image via Wikipedia

The Security Bloggers Network (SBN) is pleased to announce that the Computer Security Institute (CSI) and the SBN will be promoting and participating in this years annual CSI conference, Nov 15-21 at the Gaylord National in the Washington, DC area. The CSI show is always one of the biggest security events of the year with a full program of sessions and large exhibit.

The SBN with over 185 member blogs, is the largest aggregated feed of security blogs in the world.  The folks at CSI recognizing the power and influence of blogs in the media have asked us to help promote the event and invited SBN members to attend as press. Additionally the good folks of CSI have allowed us to make available some benefits to our readers as well:

1. If you would like to attend the conference you can receive a 25% discount by using our special code: BLOG25

2. I have one full boat conference pass.  That is right for the entire conference including sessions! This is over a 2,000 dollar value.  I will be awarding it to the person who comments on this post with the best and most interesting story on how attending security conferences such as CSI have helped you in your security related job.  Just leave a comment with your award, but be sure to leave an email for me to contact you. I will pick one person by next Wed..  Good luck!

It is good to see the SBN getting this kind of coverage. I am looking forward to attending CSI this year and hope to see you there!


Reblog this post [with Zemanta]

Happy (Belated) First Birthday! [Security Thoughts]

Posted: 31 Oct 2008 02:27 AM CDT

.... to my ADSL application.

Last year in October a salesperson at Telkom phoned to let me know that my phone exchange supports ADSL and do I want to upgrade my line to have ADSL?

I did the maths and worked out that it would be cheaper for me to have ADSL and have the benefit of all-time-on access to the Internet.

So, I applied and a few days later my application was processed and I had an application number. It all got to the point where I had the modem connected and ready when a technical person at the exchange noticed that "no, the exchange is potentially ready for ADSL but was not, in fact, ready."

"But, good news, there is a project to upgrade the exchange to be ADSL capable. It should be done by latest end of December 2007."

That became end of January, end of February, end of April... then it jumped to end of June.

Now it is scheduled to be completed by the end of April 2009.

The way things are looking - I'll probably be celebrating the second birthday of my ADSL application this time next year... many happy returns.

Same Word, Two Different Meanings []

Posted: 31 Oct 2008 12:34 AM CDT

There are quite a few similarities between configuring a Cisco switch and a Foundry switch.  There are at least two areas though where they are similar yet very, very different:  link aggregation and frame tagging.

Let’s hit link aggregation first.  In Cisco’s world its called “etherchannel.”  In Foundry’s world its called “trunking.”  Configuration wise Foundry’s trunking is much simpler than creating an etherchannel.  Seems easy enough…until you get into frame tagging.

Now let’s hit frame tagging.  Cisco uses the term “trunking” for links that carry multiple VLANs.  Wait a minute…we just talked about “trunking” and it had nothing to do with frame tagging.  VLAN Trunking Protocol (VTP) is the vehicle in which all VLANs are managed across a switched network.  VTP roles (server, client & transparent) make it so VLANs can all be created on a switch with the “server” role which will then advertise every VLAN to switches that are trunked in the same VTP domain.  In Foundry’s world they tackle frame tagging with a much more sensical term, “tagged.”  Essentially any uplink connection to another switch is a “trunk” in Cisco speak but you have to specify which VLANs should be “tagged” across the uplink.  The big downfall of this is that every VLAN must be created on every switch and then must be specifically tagged to flow across the uplink connection.  This obviously is more configuration intensive than Cisco’s VTP.

The lesson here is when in a mixed environment choose your words carefully.  If you have your Cisco hat on and you are talking about trunking somebody else might have their Foundry hat on and think you are talking about link aggregation.

There's Only One Way To Settle This Crosby: Security Sumo Suit Smackdown... [Rational Survivability]

Posted: 31 Oct 2008 12:29 AM CDT


I'm afraid it's come to this, Simon.

It occurs to me that the only way we can settle our debate to finality is via mortal combat.

I'm calling you out:

What: Sumo Suit VirtSec Smackdown (how Xen/Zen!)

Who: Simon Crosby vs. Chris Hoff

RSA 2009, Moscone Center, San Francisco, Venue TBD

When: During the April 20-24th, 2009 timeframe

Why: You know why...

Wow: This will be a charity event with the proceeds going to Johnny Long's Hackers for Charity which you can find out about here.

Real shipping versions of you only, no virtual replicas or stand-ins allowed.  We'll get sponsors.

You wouldn't want to let down the community now would you Simon?

See you in San Francisco...


UPDATE: Simon is THE man!  He's accepted the battle.  We'll have an all-star panel of judges and Dan Kaminsky has agreed to referee.  Winner gets grandma's cookies! w00t!

Citrix's Crosby Says I'm Confused and He's RIGHT. [Rational Survivability]

Posted: 30 Oct 2008 10:45 PM CDT

Arguing Simon Crosby and I have been going 'round a bit lately arguing the premise of where, why, when, how and how much security should be invested by either embedding it in the virtualization platform itself or being addressed by third parties.

Simon's last sentence in his latest riposte titled "Hoff is Still Confused" was interesting:

Re-reading Hoff's posts, I find that I agree with him in just about every respect in his assessment of the technology and its implications, and I think we're doing exactly as he would recommend, so I'll be interested to hear if he has more to say on this

Well, how the hell am I supposed to argue with that!? ;)  OK, now I am confused! Simon's taken the high road and thus I shall try to do so, too.  I wrote a ton more in response, but I'm not sure anybody cares. ;)

All told, I think we're both aiming at a similar goal in spite of our disparate approaches: achieving a more secure virtualized environment.

But seriously, I don't think that I'm confused about Citrix's position on this matter, I just fundamentally disagree with it.

I feel strongly that Simon and I really are on different sides of a religious issue but without a more reasonable platform for discussion, I'm not sure how we'll intelligently discuss this more coherently without all the back and forth.  Perhaps a cage match in sumo suits!?

I appreciate Simon clarifying his position and reaching out to ensure we are on the same page.  We're not, but the book's not closed yet. 

So we agree to disagree, and I respect Simon for his willingness to debate the issue.


Please Help Me: I Need a QSA To Assess PCI/DSS Compliance In the Cloud... [Rational Survivability]

Posted: 30 Oct 2008 02:15 PM CDT


I wonder if you might help me.

I operate an e-commerce Internet-based business that processes and stores cardholder data.

I need a QSA to assess my infrastructure and operations for PCI/DSS compliance.

Oh, I forgot to mention.  All my infrastructure is in the cloud.  It's all virtualized.  It runs on Amazon's EC2.  All my data is hosted outside of my direct stewardship.  I don't own anything.

Since the cloud hides all the infrastructure and moving parts from me, I don't know if I meet any of the following PCI requirements:
I don't know if there are firewalls. I don't know about the cloud-vendor's passwords, AV, access control/monitoring, vulnerability management or security processes.

A friend told me about section 12.8, but it doesn't really apply because the "service" provider just provides me cycles and storage, I run the apps I build but I don't see any of the underlying infrastructure.

Also, I have no portability for BCP/DR because my AMI only runs on the Amazon cloud, nowhere else.  I don't know who/how backups are done outside of my manifest.

I'm sure we could ask though, right?

Update: OK, this post worked out exactly as I hoped it would.  On the one hand you have PCI experts who plainly point to the (contrived) example I used and rule empirically that there's no chance for PCI certification.   To their point, it's black and white; either Amazon (in this example) absorbs the risk or you can't use their services if you expect to be in compliance with PCI.

Seems logical...

However, this is the quandary we're facing with virtualization and cloud computing.  In terms of the companies that hire these PCI compliance experts, the assessment methodology/requirements are predicated upon a "standard" that continues to be out of touch with the economic and technological world around it.  That's not the experts' fault, they're scoring you against a set of requirements that are black and white. 

As companies try and leverage technology to be more secure, to transfer risk, to focus on the things that matter most and reduce costs -- if you believe the marketing -- It's really a no-win situation.

The PCI Security Standards Council doesn't even have a SIG for virtualization and yet we see the crushing onslaught of virtualization with no guidance and this tidal wave has been rushing at us for at least 3-5 years.   If you believe the uptake of cloud computing, we're blindly hurdling over the challenges that virtualized internally-owned infrastructure brings and careening headlong down a path to cloud computing that leaves us in non-compliance.

The definition of what a "service provider" means and how they interact with the cardholder data companies are supposed to protect needs to be redefined.

It's time the PCI Council steps up and gets in front of the ball and not crushed by it such that the companies that would do the right thing -- if they knew what that meant -- aren't punished by an out-of-touch set of standards.

TJX presentation @ NCA Conference [Napera Networks]

Posted: 30 Oct 2008 01:26 PM CDT

NCA's 2008 Security and Technology Conference was yesterday and Carlos Dominguez of Cisco opened the day with a high energy presentation that set a very high standard. I was pleased with the interest in my afternoon presentation on TJX, which was well attended.

The TJX data breach is worth following for two reasons. One is simply the mind boggling scale of compromising 45 million cards and nearly half a million identities over a period of years. Another is the demonstration of some great IT security precepts that everyone can learn from. In my presentation I give an overview of the American hackers who broke into the TJX network, the Eastern European and Chinese carders who facilitated the trading of the stolen cards, and the money mules in Miami who were caught using the cards.

The most important lesson of TJX is the simplest one - protect customer data at all costs, because once the genie has escaped from the bottle, it’s too late. I’ll look at distilling some of the presentation points into a blog post in the future.

I also touched on the recent UK ‘chip and pin’ compromise which relied on physically compromising the point of sale hardware, possibly at the point of manufacture in China, and then siphoning card data wirelessly to a site in Pakistan. There was lively feedback from the audience, and some great questions. One person related the UK POS hardware compromise with the recent discovery of gray market networking hardware in the US.  This was an angle I hadn’t considered, and the sophistication of the UK POS breach shows grey market hardware is a potential opportunity for cybercriminals to further penetrate corporate networks.

Napera had a booth at the conference and it was great to catch up with customers and industry folks. We’ve been working with Tom Gobeille and his team at NCA in Washington, Oregon and California since we first launched the Napera N24 and yesterday’s gathering demonstrated NCA’s technology and service leadership in the Pacific Northwest.

ChrisB and Jason talking to a customer at the NCA conference.

Reblog this post [with Zemanta]

$ sudo emerge -C gelmini :-) [Security Circus]

Posted: 30 Oct 2008 12:42 PM CDT


$ sudo emerge -C gelmini :-)

This posting includes an audio/video/photo media file: Download Now

Italian streets hit by protests [Security Circus]

Posted: 30 Oct 2008 12:35 PM CDT

White Paper on the MS08-067 vulnerability and the associated malware [VRT]

Posted: 30 Oct 2008 10:34 AM CDT

Matt Olney, Alain Zidouemba and Lurene Grenier of the Sourcefire VRT have collated their analysis of the DCE/RPC vulnerability announced in Microsoft Security Bulletin MS08-067. A white paper that discusses this issue is now available on at the following address: As always, we do not require any kind of form to be filled in, nor do we ask

Scareware pays … and pays well [Network Security Blog]

Posted: 30 Oct 2008 08:18 AM CDT

I figured that scareware (software that creates pop-ups telling you your computer is infected and can be cleaned for just $49.95) paid, otherwise organized crime wouldn’t be involved.  But I hadn’t realized how well; according to the NYT, Bakasoftware made over $5 million last year selling their own software.  Two things I thought was interesting is that the software uninstalls itself if the owner of the computer is a Russian speaker (Bakasoftware is a Russian company).  The second thing, which may just be coincidence, is that ‘baka’ is Japanese for fool or idiot.  It’d make sense for a scareware company to name itself “Idiot Software”.  And yes, I’ve been watching too much anime lately.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

S4 Preview: Hardware Vulns in 802.15.4 Implementations [Digital Bond]

Posted: 30 Oct 2008 07:24 AM CDT

I will be previewing one S4 2009 paper each week. Digital Bond’s SCADA Security Scientific Symposium is Jan 21-22 in Miami Beach with an advanced control system security course on Jan 20th.

  • See the full agenda with detailed paper descriptions
  • Register to be a physical or virtual S4 attendee
  • Last week’s preview focused on physical layer vulnerabilities in IEEE 802.15.4, the protocol underlying Zigbee, ISA 100, WirelessHART and other protocols being considered and deployed in control systems. This weeks preview is a companion paper that focuses on IEEE 802.15.4 implementation errors at the data link layer. The two papers lead off S4 Day 2 and should be a very interesting pair.

    Low Level Design Vulnerabilities in Wireless Control System Hardware

    The IEEE 802.15.4 protocol can suffer from hardware and software implementation vulnerabilities like any other protocol implementation even if the underlying protocol is vetted and considered secure. In this paper the authors, Bradley Singletary and Darren Highfill of EnerNex and Travis Goodspeed of UT/Knoxville, analyze 802.15.4 hardware and firmware implementations for vulnerabilities and resistance to attacks. Since popular hardware and firmware implementations of low layer protocols are often used in multiple vendor implementations, this work could have widespread ramifications.

    Topics in the paper and presentation will include design induced vulnerabilities such as the extraction and modification of communications device firmware, man-in-the-middle attacks between chips of a communications devices, circumvention of protection measures, bus snooping, and other attacks. This abstract has me eagerly awaiting the full paper.

    Other S4 Previews

  • Jamming and Interference Induced Denial of Service Attacks on IEEE 802.15.4 Based Wireless Networks
  • Links for 2008-10-29 [] [Sicurezza Informatica Made in Italy]

    Posted: 30 Oct 2008 12:00 AM CDT

    That Was A Huge Mistake []

    Posted: 29 Oct 2008 11:03 PM CDT

    I did my first “spin” class tonight.  Holy cow am I wishing I hadn’t done that about now.  The first 20 minutes I was cruising right along but then it started going downhill fast.  By minute 35 I wanted to pick the bike up and throw it at the instructor.  The last ten minutes I couldn’t stand while riding for more than 15 seconds.  I’d look around and see a small kid, probably 12 or 13, pedaling along like it was nothing.  Behind him was a women at least 40 and probably closer to 50 able to do what I couldn’t.  Boy did I feel like a pathetic turd.  I thought for sure my heart was going to jump out of my chest during the last “climb.”  I was struggling so hard that I couldn’t follow instructions in a timely manner.  The instructor would bark out “up” and by the time I was up she was yelling “down” so for the last 3 minutes of the ride I was up when everyone else was down and they were all up when I was down.  Rode 17.5 miles in 50 minutes…a real ass kicker.  If you asked me right now I’d rather be punched in the face than do another spin class.  4 to 1 odds that I make the same stupid mistake next Wednesday.

    VizSec 2008 and Ben Shneiderman’s Keynote [Raffy - Security Data Visualization]

    Posted: 29 Oct 2008 06:06 PM CDT

    image_thumb.pngVizSec is a fairly academic conference that brings together the fields of security and visualization. The conference had an interesting mix of attendees: 50% came from industry, 30% from academia, and 20% from government. I had the pleasure of being invited to give a talk about DAVIX and also participate on a panel about the state of security visualization in the market place.
    The highlight of the conference was definitely Ben Shneiderman’s keynote. I was very pleased with some of the comments that Ben made about the visualization community. First he criticized the same thing that I call the “industry - academia dichotomy”. In his words:

    “[There is a] lack of applicability of research.”

    I completely agree and if you have seen me talk about the dichotomy, I outline a number of examples where this becomes very obvious.
    The second quote from Ben that I would like to capture is the following:

    “The purpose of viz is insight, not pictures”

    Visualization is about how to present data. I am not always sure that people understand that.
    Unfortunately, I wasn’t prepared to capture what Ben said about my book (Applied Security Visualization.) He brought his copy that I had sent him. He talked about the book for quite a bit and specifically mentioned all the treemaps that I have used to visualize a number of use cases. I felt very honored that Ben actually looked at the book and had such great things to say about it. The following lunch with Ben was a great pleasure as well, filled with some really interesting visualization discussions.

    Welcome to our newest "VIPs" on VeriSign's Identity Protection Network [Online Identity and Trust]

    Posted: 29 Oct 2008 04:14 PM CDT

    Organizations around the world are deploying VeriSign® Identity Protection (VIP) services to stop fraudsters from tricking consumers into revealing sensitive private information. VeriSign Identity Protection service's one-time-passwords (OTP) are one element of a layered security approach. Other layers include Web site security brought by an Extended Validation (EV) SSL Certificate, fraud detection services to monitor anomalies on the back end, and consumer education.

    The VeriSign Identity Protection Network allows consumers to use a single security device to authenticate themselves across any VIP-enabled Web site. So it's easier for all of us to stay safe online by integrating two-factor authentication into our online routine.

    Our Newest "VIP" Members:
    + American Bankers Association (U.S.)
    + AWA Credit Union Ltd (Australia)
    + Central Murray Credit Union (Australia)
    + DocLocker (Australia)
    + Indusval Multistock (Brazil)
    + Joyo Bank (Japan)
    + Maitland Mutual Building Society (Australia)
    + Morgan Street Document Systems (U.S.)
    + South West Credit Union (Australia)
    + U.S. Department of Education (U.S.) + VietUnion (Vietnam)
    + Water ISAC (U.S.)

    Extending the Reach of VeriSign Identity Protection With Global Partnerships
    Enhancements to VeriSign's sales and delivery channel for VIP also has extended the network's market presence worldwide. VeriSign recently added to its channel and strategic partner ranks:
    + Blitz IT Consultants Pte Ltd in Vietnam
    + Senior Solutions in Brazil
    + Scitum and Netrix in Mexico
    + Bharti Airtel in India
    + iTrusChina in China
    + MSCTrustgate in Malaysia
    And in the Europe, Middle East and Africa (EMEA) region, we launched a new program aimed at recruiting at least one anchor partner for the UK, Germany, France, Spain and Italy. We're working to ensure that VIP is represented via a robust and far-reaching ecosystem, particularly within the financial, retail, social networking and gaming markets.

    Let's Give People What they Want
    Here's a quote from a user of the Security Key who sells sports memorabilia on eBay:

    "Before I started using my token, someone was breaking into my account every four to six weeks...I previously had to change my password constantly to keep others out of my account, but since I started using the PayPal Security Key, I haven't had to change it once."
    At the eBay Live! event this past June, we surveyed 689 attendees about their experiences with the PayPal Security Key (a VIP token).
    • A third of respondents said they use the PayPal Security Key
    • Nearly three-quarters of users said that their PayPal key is easy to use.
    Most respondents said they wanted to enjoy VIP protection with a variety of services - including online banking, shopping, gaming and stock trading - while nearly half hoped to use their token to access health care services. We're hoping we can help make those requests a reality.

    links for 2008-10-29 [Andrew Hay]

    Posted: 29 Oct 2008 04:03 PM CDT

    "EstDomains, a domain name registrar with a reputation for catering to cyber c..." [Security Circus]

    Posted: 29 Oct 2008 03:42 PM CDT

    EstDomains, a domain name registrar with a reputation for catering to cyber criminals, suffered another blow after the organization that oversees the net's address system said it would revoke the company's right to sell domain names because of a recent fraud conviction in Estonia of its president. In a letter addressed to EstDomains President Vladimir Tsastsin, an official with the Internet Corporation for Assigned Names and Numbers said EstDomain's registrar accreditation would be revoked on November 12. –Notorious registrar gets deactivation notice for president's sin

    More Internet ignorance by Italian MPs [Security Circus]

    Posted: 29 Oct 2008 03:34 PM CDT

    Gunnar Peterson Channels Tina Turner (Sort Of): What's Happiness Got To Do With It? [Rational Survivability]

    Posted: 29 Oct 2008 02:28 PM CDT

    Tinaturner Gunnar just hit a home run responding to John Pescatore's one line, twelve word summarization of how to measure a security program's effectiveness.  Read Gunnar's post in it's entirety but here's the short version:

    Pescatore says:

    The best security program is at the business with the happiest customers.

    To which Gunnar suggests:

    There's a fine line between happy customers and playing piano in a bordello.

    ...and revises Pescatore's assertion to read:

    The best security program is at the business with sustainable competitive advantage.

    To which, given today's economic climate, I argue the following simplification:

    The best security program is at the business that is, itself, sustainable.

    I maintain that if, as John suggests, you want to introduce the emotive index of "happiness" and relate it to a customer's overall experience when interacting with your business, then the best security program is one that isn't seen or felt at all.  Achieving that Zen-like balance is, well, difficult.

    It's hard enough to derive metrics that adequately define a security program's effectiveness, value, and impact on risk.  Balanced scorecard or not, the last thing we need is the introduction of a satisfaction quotient that tries to quantify (on a scale from 1-10?) the "warm and fuzzies" a customer enjoys whilst having their endpoint scanned by a NAC device before attaching to your portal... ;)

    I understand what John was shooting for, but it's like suggesting that there's some sort of happiness I can achieve when I go shopping for car insurance.


    Online banking EV measurement is available [Tim Callan's SSL Blog]

    Posted: 29 Oct 2008 02:04 PM CDT

    As you know, I've been making a policy of measuring the effect of EV SSL Certificates (and therefore green address bars) on visitor behavior at various types of Web sites. One area that's been underresearched is online banking. I'm pleased to tell you that yesterday VeriSign announced the first such measurement on an online bank.

    Michigan-based Flagstar Bank measured the effect of green address bars on new user signups. This strong regional bank saw a 10% increase in new account signups when green bars are present over when they are not. There are many reasons why increases in online transactions are good for banks. Costs are greatly reduced servicing customers on the Web rather than in person or on the phone. Customers have enhanced service opportunities online that generally lead to greater satisfaction and stickiness. And the bank has the opportunity to sell new services like a charge card or a line of credit. But the biggest reason by far is that savings and checking accounts are a retail bank's lifeblood. Signing up new accounts is the key to a bank staying in business and ultimately growing. And new accounts are the fuel that drive those added services mentioned earlier.

    Errata Security endorses McCain [Errata Security]

    Posted: 29 Oct 2008 01:35 PM CDT

    The choice in this election is between a small or large left-ward shift. McCain is a moderate Republican, Obama is a radical Democract. A bigger issue than the candidate is the Democrat-controlled congress. Our country was designed with the idea of checks and balances, but this system breaks down when the same party controls both the presidency and congress. Our country has prospered most when difference parties controlled these two branches of government.

    Technology regulation is the biggest concern for us. McCain is famously over a hundred years old and has never sent an e-mail. Yet, Obama is not much better. Whereas neither candidate knows much about computers, McCain has extensive experience in telecoms regulation. It is here where McCain has demonstrated a greater understanding of the Internet and its history.

    Obama has frequently described the Internet as something created by the government. In contrast, McCain watched the Internet evolve from its infancy. McCain remembers how the over-regulated telecommunications industry failed to innovate. He also remembers that the government did indeed design an Internet known as "GOSIP", and that this alternative Internet failed. McCain knows that today's Internet was designed not by government nor by corporations, but by mavericks that opposed both.

    A test of the candidates' desire to regulate is "Net Neutrality". Obama sees this as government protecting the people. McCain sees this as yet another example of the type of overregulation that destroys innovation. What concerns McCain is that Net Neutrality laws protect business interests, giving power to those at the "ends" of the network (like search monopoly Google) over those providing Internet service (like AT&T). McCain is concerned with the fact that Google has spent millions lobbying congress to pass Net Neutrality legislation. McCain is worried about the way Google has hired former FCC employees and Internet luminaries to do its lobbying, exactly the sort of Washington cronyism that has stifled telecommunications for the last 30 years.

    Government regulation cannot fix cybersecurity. There is a myth that some sort of "magic pill" will solve all security problems, and that government should just force everyone to take this "magic pill". This "magic pill" doesn't exist. If it did, everyone would have taken it already. No such pill will ever exist. Security is a tradeoff - each gain in security requires sacrificing something else. Different people want different tradeoffs and therefore different solutions (and different risks). Government regulation forces a one-size-fits all set of tradeoffs. We want less government regulation in cybersecurity. We want people to choose tradeoffs and risks for themselves.

    The state of the art of hacking and defense changes faster than government regulators can keep up. Today's compliance issues were based on a model where hackers attacked "server" vulnerabilities. Now hackers target mostly "client" vulnerabilities, and those regulations are out of date. Regulatory compliance is forcing companies to keep their focus on the old threat rather than addressing these new threats.

    Government regulation is corrupt. Laws are heavily influenced by lobbyists. Companies have cozy relationships with auditors that allow them to pass compliancy checks while having little or no security.

    McCain is not our perfect candidate in regards to Internet regulation, but he is much better than Obama and the Democrat-controlled congress.

    Economics is our second concern. Entrepreneurs and small companies drive the innovation in our industry. Most cybersecurity innovations come from the United States because of our business-friendly climate.

    Obama's tax plan hurts small cybersecurity companies. The majority of people we know work 80-hour weeks. Their spare time is spent reading technical books to keep their skills sharp. They quit their jobs at large firms in order to create an independent consultancy or create a new product company. It is this highly skilled, hard working professional that Obama proposes to tax in order to send welfare checks to unskilled laborers that don't work as hard. The cybersecurity professionals we know don't have time to watch much TV, the average American receiving Obama's checks spends 28-hours a week in front of the TV. This income redistribution is a strong disincentive to entrepreneurs. Why improve your cybersecurity skills, work hard, or take the risk with a startup if you cannot enjoy the rewards of doing so? This is a selfish point of view, of course, but a large reason we support McCain.

    Security is a luxury. It is one of first things companies cut when profits decline, it is one of the first things they invest in when things get better. Obama's anti-business policies, such as trade protectionism we cut corporate earnings and reduce their investment in cybersecurity.

    And, the issue of regulation comes up again. American's start their own business at a rate of 10 to 1 vs. Europe precisely because it's easy. In most other countries, it can take a year's wages and months of hard work just to get the business licenses needed to start a company.

    We are also concerned with foreign policy. Many foreign countries, notably China and Russia, have policies that encourage their citizens to attack American cyberspace. While we are not happy with the current president's Texas-cowboy approach of attacking foreign countries, neither are we happy with Obama's stated strategy of appeasement. We prefer McCain's more moderate approach between these two extremes. As a side note, we suggest that the next government respond in kind - making it easy for our own citizens respond to these attacks.

    Both candidates displease us on certain issues. Both candidates failed on the issue of the so-called "Patriot" Act and the recent FISA bill. Both candidates fail on the issue of intellectual property. Both candidates fail on the issue of free speech, although we worry more about the passage of a so-called "Fairness" Doctrine next year designed to curtail right-wing speech.

    These issues are like the slavery debate 200 years ago. The issues are so integrated into society that many people cannot see their obvious immorality. We understand how our society is based upon the protection of property rights, and how intellectual property is a leading American expert, but this should not blind us to the obvious abuse of intellectual property.

    In summary, we believe John McCain is the best candidate for cybersecurity. The next president will not help cybersecurity much. The most we can hope for is that they resist the urge to meddle in something that government does not understand, cannot understand, and which will ultimately be driven more by special interests than technical knowledge.

    EDIT: This blog asks should security company's endorse a president? It suggests our inspiration comes from movie stars, but in reality it comes frm Google's endorsement of Obama. Why is the search/advertising monopoly allowed to endorse a candidate but not a small security consultancy?

    Still think passwords are reliable? [Branden Williams' Security Convergence Blog]

    Posted: 29 Oct 2008 01:28 PM CDT

    Researchers Martin Vuagnoux and Sylvain Pasini recently released video demonstrating the ability to pull electromagnetic eminations from wired keyboards. Both videos show how various configurations of standard keyboards could have keystrokes intercepted through the air.

    Many of us have heard of the old TEMPEST project that was made famous by their demonstration of the ability to intercept the data that would be displayed on Cathode Ray Tube monitors. Imagine having someone sit outside your office or home and being able to see on their monitor the very same things you are looking at on yours.

    I wonder how many more corporate scandals would hit the press if this happened regularly.

    Now it appears that simply typing your passwords or authentication information on a keyboard could expose them to the world at large. If you never worried about using password only authentication to protect data, you definitely should now.

    The truly scary piece for me is that now that this has been demonstrated, any attacks that we see will probably be narrowly focused and targeted. Security controls in most corporations are not designed to withstand such an attack. These attacks will single out individuals—an attack method that is widely successful.

    An additional factor of authentication such as a One Time Password might be able to stave off an attack, at least when it comes to leaking valid credentials to an attacker. Then again, depending on the method, it might not be able to do that.

    I'd be interested to see if someone could direct a signal at a machine to insert characters into the computer remotely. Wouldn't that be wicked?

    A Branding Exercise [Episteme: Belief. Knowledge. Wisdom]

    Posted: 29 Oct 2008 12:25 PM CDT

    I talk about it all the time: the most important thing that you must do for your career is branding your name. Your “Personal Brand” IS your career.

    I happened upon an interesting thought exercise for branding when talking with Melina the other day. We were talking about her business, and I asked the following question:

    What problem do you want your clients to have when they think of your name?

    That’s an incredibly powerful way to conceive of branding. It speaks to all elements of what a brand is - what you’re an expert on, what you’re known for, and how you help your clients on a daily basis.

    This is true whether you’re branding a business or developing your personal brand. Change it around for personal branding:

    What problems do you want your boss/peers/colleagues to have when they think about calling you?

    [Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

    Technorati Tags: , , , ,

    Xen.Org Launches Community Project To Bring VM Introspection to Xen [Rational Survivability]

    Posted: 29 Oct 2008 12:12 PM CDT

    Hat-tip to David Marshall for the pointer.

    In what can only be described as the natural evolution of Xen's security architecture, news comes of a Xen community project to integrate a VM Introspection API and accompanying security functionality into Xen.  Information is quite sparse, but I hope to get more information from the project leader, Stephen Spector, shortly. (*Update: Comments from Stephen below)

    This draws naturally obvious parallels to VMware's VMsafe/vNetwork API's which will yield significant differentiation and ease in integrating security capabilities with VMware infrastructure when solutions turn up starting in Q1'09.

    From the Xen Introspection Project wiki:

    The purpose of the Xen Introspection Project is to design an API for performing VM introspection and implement the necessary functionality into Xen. It is anticipated that the project will include the following activities (in loose order): (1) identification of specific services/functions that introspection should support, (2) discussion of how that functionality could be achieved under the Xen architecture, (3) prioritization of functionality and activities, (4) API definition, and (5) implementation.

    Some potential applications of VM introspection include security, forensics, debugging, and systems management.

    It is important to note that this is not the first VMI project for Xen. 
    There is also the Georgia Tech XenAccess project lead by Bryan Payne which is a library which allows a privileged domain to gain access to the runtime state of another domain.  XenAccess focuses (initially) on memory introspection but is adaptable to disk I/O also:


    I wonder if we'll see XenAccess fold into the VMI Xen project?

    Astute readers will also remember my post titled "The Ghost of Future's Past: VirtSec Innovation Circa 2002" in which I reviewed work done by Mendel Rosenblum and Tal Garfinkel (both of VMware fame) on the LiveWire project which outlined VMI for isolation and intrusion detection:


    What's old is new again.

    Given my position advocating VMI and the need for inclusion of this capacity in all virtualization platforms versus that of Simon Crosby, Citrix's (XenSource) CTO in our debate on the matter, I'll be interested to see how this project develops and if Citrix contributes. 

    Microsoft desperately needs a similar capability in Hyper-V if they are to be successful in ensuring security beyond VMM integrity in their platform and if I were a betting man, despite their proclivity for open-closedness, I'd say we'll see something to this effect soon.

    I look forward to more information and charting the successful evolution of both the Xen Introspection Project and XenAccess.


    Update: I reached out to Stephen Spector and he was kind enough to respond to a couple of points raised in this blog (paraphrased from a larger email):

    Bryan Payne from Georgia tech will be participating in the project and there is some other work going on at the University of Alaska at Fairbanks. The leader for the project is Stephen Brueckner from NYC-AT.

    As for participation, Citrix has people already committed and I have 14 people who have asked to take part.

    Sounds like the project is off to a good start! 

    Cloud Computing Security In Poetic Review [Rational Survivability]

    Posted: 29 Oct 2008 11:50 AM CDT

    This is in response to my buddy Alex Hutton's blog post titled "Cloud Computing - Stormy Weather?"

    If you took a poll
    of folks in a crowd
    asking them to define
    what they thought of "the cloud"

    I'd bet the dough in my pocket
    not one could agree
    on the relative impact
    it will have on IT

    Outsourced computing,
    utility, grid,
    distributed resources
    with the moving parts hid

    whatever you call it
    its adoption is brisk
    but like most "innovation"
    we've forgotten 'bout risk

    Cloud computing's a trade off
    Be sovereign or efficient
    I guess it depends
    on where you think you're proficient

    Some things are ripe to be cloudy
    Others? Not so much
    Some things we'll let go of
    others tightly we'll clutch

    Most companies I know
    manage risk with their gut
    when new tech comes along
    they're still mired in that rut

    So security gets blamed
    for standing in progress' way
    yet we're stuck with defending
    C, I and A

    We need to be agile
    but oh yeah, compliant
    Though the potential for loss,
    means our exposure is giant

    Cloud advocates say
    Amazon's never been breached
    so we can trust that our data
    will never be leached?

    I guess this all depends
    on which model of cloud
    you decide to rely on
    to make your CIO proud

    We've got wares as a service,
    Web 2 dot 0, SOA
    'lastic clouds, fuzzy storage
    It's the future, some say

    But I can't help but think
    the handwaving's distracting
    from the uncomfortable truths
    of what this is impacting

    We can't even manage
    the stuff that we own
    yet we're willing to outsource
    where our assets call home?

    We don't classify data,
    can't control where it goes
    but we'll transfer our risk
    to someone nobody knows?

    Diguising marketing efforts
    as tech. innovation
    and suggesting that insight
    will spur risk ideation?
    Reduce risk?
    Reduce loss?
    Create efficient operations?
    Those are quite lofty goals,
    worthwhile machinations

    But the cloud ain't an answer
    it's a cyclic response,
    evolutionary next-steps
    to what the tech. industry wants

    They can't solve real problems
    so a new one's created
    to distract from the point
    that we're being masturbated

    I'm all for the cloud
    been doing it for years!
    Got a real game changer?
    Hey man, I'm all ears.

    You dress up this pig
    in a nice looking dress
    security will be here
    to clean up the mess

    No comments: