http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2016-03-28 11:30:17 - Uncommon Sense Security : A few changes and an addition- In the upcoming weeks and months I ll be speaking at the following events InfoSec Southwest, Austin, April 8-10 Sayers Curio Technology Summit, Chicago, April 13 BSides Calgary, April 28-29 ISSA-LA Summit, May 19-20 IT-PRO, Seekonk MA, June 15 ISSA-NE, Waltham MA, July 12 I will not be speaking there, but I will be at the NIST Cyber Security Framework Workshop at NIST in Gaithersburg, MD- if you re going to be there please say hello if you see me And I m sure I ll be at a few more See you on the road Jack http://www.secuobs.com/revue/news/602159.shtmlhttp://www.secuobs.com/revue/news/602159.shtml Secuobs.com : 2016-03-25 22:57:35 - Uncommon Sense Security - Things need to be proven, or disproven Urban legends need debunking But unless you dig into the history and have some context you may be wasting your time And if you have the context, you can make your case more convincingly Let s venture into automotive lore for two examples First, a simple one- there s a longstanding belief that you should never place a battery on bare concrete or it will damage the battery, or at least cause it to discharge You regularly see shops with batteries on scraps of plywood to this day I had this debunked at a manufacturer s tech training many years ago, one of the instructors put a fully charged battery on the bare floor and the beginning of a week of training and it was fully charged at the end of the week End of story, right Well, not quite First, the school was new and well equipped, it even had infrared heating, so the concrete floors were always warm, as opposed to the cold, damp floors many garages have throughout the winter Putting a modern battery on a cold damp floor really won t hurt the battery- but cold batteries don t release their power as well as warm ones, so putting a marginal battery on the floor could make it weak enough that it won t start a car without being charged Second, above I said Putting a modern battery on a cold damp floor really won t hurt the battery The word modern is key to this legend In ye olden days car battery cases were made of sealed wood, then of natural rubber- both of which were somewhat porous Concrete is very good at wicking moisture, so putting one of these old batteries on concrete could really discharge it and suck water out of the battery Knowing this backstory means you can make a more convincing argument when faced with this particular legend Later, I ll dive into one that has been debunked on TV and in universities By people who apparently don t get the significance of context Jack http://www.secuobs.com/revue/news/602090.shtmlhttp://www.secuobs.com/revue/news/602090.shtml Secuobs.com : 2016-03-07 19:56:05 - Uncommon Sense Security - Hey Jack, you weren t at RSA Shmoo Derby, what s up with that Well, life and stuff But I am out and about quite a bit, I m just much more likely to be at smaller and more regional events lately I heard there were something like 40,000 people at RSA, it seemed to do OK without me this year In the upcoming weeks and months I ll be speaking at the following events BSides Salt Lake City, March 10-11 Chattanooga ISSA, March 14 InfoSec Southwest, Austin, April 8-10 Alberta ISC 2, Calgary, April 27 BSides Calgary, April 28-29 Rocky Mountain Information Security Summit, Denver, May 11-12 ISSA-LA Summit, May 19-20 IT-PRO, Seekonk MA, June 15 ISSA-NE, Waltham MA, July 12 And I m sure I ll be at a few more See you on the road Jack http://www.secuobs.com/revue/news/600396.shtmlhttp://www.secuobs.com/revue/news/600396.shtml Secuobs.com : 2016-01-24 01:38:43 - Uncommon Sense Security - Instead of doing productive things I ve found a new outlet for self-entertainment, and I seem to be amusing a few others, too My newish Twitter account is InfosecNoir, it is The adventures of Jimmy Black He decrements the TTLs of cybercriminals so you don't have to He has a drinking problem, but only when his glass is empty It is pretty low volume, and is meant to entertain me If it entertains you, too, then maybe follow, or just check in occasionally Important note While some of it is autobiographical, and some is based on true stories , much is pure fiction I ll admit the first tweet is autobiographical, image after that, your guess is as good as mine And for the pedantic, it was Atorvastatin, not Lipotor Yay generics Jack http://www.secuobs.com/revue/news/596343.shtmlhttp://www.secuobs.com/revue/news/596343.shtml Secuobs.com : 2016-01-20 01:45:25 - Uncommon Sense Security - Oh, hey- bloggy thing I know I should blog more, both here and over on my travel drinking blog, but you know Open Live Writer One very nice recent development is that a team at Microsoft has created an Open Source fork of Windows Live Writer WLW used to be a really sweet, lightweight WYSIWYG blog tool for Windows- then it got Microsofted and bloaty, then abandoned Open Live Writer brings it back from the dead, updates authentication to work with modern platforms, and pulls out a lot of cruft It is still early in development, but so far it is working well for me and I do not miss any of the missing features I m enjoying the speed and functionality of Open Live Writer, and I m grateful that some folks at Microsoft have revived this great little tool If you are a blogger and Windows user, check it out Jack http://www.secuobs.com/revue/news/596014.shtmlhttp://www.secuobs.com/revue/news/596014.shtml Secuobs.com : 2016-01-17 19:40:30 - Uncommon Sense Security - OK kids, this is cool Know a hacker or computer club or school that could use some free, community-contributed labs Pivot Cyber Challenges From the website pivotprojectorg People who earn great jobs in cyber security have mastered both academics and hands-on skills But where can people with a wide variety of skill levels get hands-on practice with real-world cyber security problems On January 12, the PIVOT project goes live to help meet that need PIVOT makes it possible for students and others, all over the world, to build their hands-on skills in a fun, challenging, real-world cyber environment PIVOT provides exciting hands-on labs and challenges for student groups and associated faculty, completely free Through a variety of engaging downloadable materials, participants build their hands-on skills to help them pivot from academic studies to their future cyber security careers To kick things off there s a contest to get things moving and gather feedback We re launching PIVOT with a special contest and over a dozen prizes so you can help make PIVOT even better Prizes include gift cards, club pizza feasts, t-shirts, and more To participate in the contest and help us make PIVOT even better, all you need to do is have your group work through your choice of at least two of our current labs, and then have a student leader or faculty member fill out our contest form by February 15, 2016 The contest form gathers information about your experiences with the labs and recommendations for additional PIVOT challenges From all submitted entries, we ll select the top 5 with the most useful input to receive our grand prizes Then, from all submitted entries, we ll select another 10 at random to receive a prize Please check out PIVOT Project and spread the word, it is off to a great start but now we need to build the community Jack http://www.secuobs.com/revue/news/595805.shtmlhttp://www.secuobs.com/revue/news/595805.shtml Secuobs.com : 2016-01-09 17:31:21 - Uncommon Sense Security - Yesterday the world lost a good man, and the hacker community lost a great friend David Jones, better known to many as Rance, or RevRance, ended his battle with cancer early yesterday morning, his suffering is over IMAGE A great photo of Rance by Kevin Riggins Throughout history we ve called anything we don t understand magic To those of us in technical fields we often think of Arthur C Clarke s third law Any sufficiently advanced technology is indistinguishable from magic but many things we don t understand other than technology have been called magic as well Rance had a special magic We may not have understood how he always seemed to know who needed a kind word, or how he knew exactly what the needed word was, but he did In the last couple of years it was sometimes hard to understand how he remained so kind, generous, and happy in the face of his cancer battles- but he did, because he was Rance That is a special kind of magic, and we will miss it dearly While we mourn our friend we can remember him best by trying to find a little of that special Rance magic in ourselves and each other Jack http://www.secuobs.com/revue/news/595240.shtmlhttp://www.secuobs.com/revue/news/595240.shtml Secuobs.com : 2015-10-02 19:36:11 - Uncommon Sense Security - I m normally sympathetic to technology recruiters, but some are just hopeless These, I have no sympathy for An the SEO spammers, no sympathy for any of them Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I m sharing templates I use for responding to the worst of them For the recruiters Dude Dudette , I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers That means a minimum of INSERT LARGE NUMBER HERE plus options or equity, a maximum of SMALL AMOUNT OF TIME HERE hours per week dedicated to direct company work, support of my LARGE NUMBER of hours per week for community development and engagement, plus research time Oh, and support of my TRAVEL, SPEAKING, DRINKING, ETC schedule The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs I'm sorry SEO SCUMBAG'S NAME HERE , but we're a global community of technology and security experts, many of us have been in the field since pre-Web days and none of us has ever heard of you or your firm We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course If not, please remove this, and every other Security BSides affiliated email from your lists Yes, I can be a bit of an ass, but it is occasionally justified Jack http://www.secuobs.com/revue/news/585520.shtmlhttp://www.secuobs.com/revue/news/585520.shtml Secuobs.com : 2015-09-20 19:46:07 - Uncommon Sense Security - SWAMP-Logo-Final-Med I recently took a fresh look at the SWAMP , the Software Assurance Marketplace- it is a great idea and a valuable resource The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free From their website Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information Today s applications need to be built more securely at the code level, and that code needs to be tested regularly The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential The current test environment is able to test software written in C C , Java including Java on Android , Ruby and Python- with JavaScript and PHP in development SWAMP will support eight languages by the end of the year There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications NCSA at U of Illinois Urbana-Champaign In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff There are many more details on their background page, including some impressive tech specs at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth Stay tuned for more on that Jack http://www.secuobs.com/revue/news/584081.shtmlhttp://www.secuobs.com/revue/news/584081.shtml Secuobs.com : 2015-09-14 17:38:29 - Uncommon Sense Security - It has been way too long since I stopped and thanked folks to whom I owe a debt of gratitude, today I would like to start to remedy that I have been incredibly fortunate to have had a series of great jobs with outstanding employers over the past several years, without the support of my employers I would not have achieved what I have, and I couldn t have contributed near as much to the many communities and causes I ve been able to support over the years Almost eight years ago I joined Astaro, a German UTM company I started in the support team, but ended up in the role of Community Development Manager or something like that Astaro was where I really started expanding my engagement with the hacker and security communities beyond my home turf of Boston and Providence at first they tolerated it, then they encouraged it, and eventually encouraged it and supported many community events BSides Trivia Astaro was the first company to put up sponsorship money for Security BSides The team at Astaro was great, and I think that was a reflection on the founders, three college friends, very smart, but different people Jan Hichert, Markus Hennig, and Gert Hansen built a strong team, and a great company Sophos agreed, and acquired Astaro in 2011 Jan, Markus, and Gert have a new company now, Ocedo, and it looks like they re putting together another solid company I owe Jan, Markus, Gert, and the entire Astaro team thanks for all of their support and encouragement- and I wish them the best of fortunes in their latest and future ventures In 2011 as Astaro was being acquired by Sophos I had a conversation with Ron Gula about joining Tenable Network Security I had chatted with Ron and also with Jack Huffard about joining Tenable in the past, but this time it seemed like it was time for me to make the next step in my career Tenable was founded by three very smart, but very different people, Ron Gula, Jack Huffard, and Renaud Deraison I see a pattern here I have evolved through a variety of roles at Tenable, all the time getting the support that has enabled me to continue to engage with various communities and projects that I have supported through the years At Tenable I ve had the amazing fortune to work not only with the founders, but also with people like Marcus Ranum, Cris Thomas better known as Space Rogue to most folks , Carlos Perez, Paul Asadoorian, and many others As with Astaro, I owe Ron, Jack, Renaud and the team they ve built at Tenable many thanks for opportunities I ve been given and the support I ve received So when I m whining on Twitter or wherever, remember that I have been fortunate enough to work for and with some brilliant people, and not just brilliant, but genuinely good people Can you imagine how much of a bitter old man I d be if it weren t for having awesome jobs Jack http://www.secuobs.com/revue/news/583440.shtmlhttp://www.secuobs.com/revue/news/583440.shtml Secuobs.com : 2015-09-14 12:02:10 - Uncommon Sense Security - First- I m speaking personally here, I am not speaking for anyone else, or for any organization, just for me Second, please remember that BSides Las Vegas is not Security BSides Each Security BSides event is organized and operated separately Although there are familiar faces at some BSides and also at many other non-BSides events they are separate events and organizations As of this writing there have been 202 Security BSides events across 83 cities which were not BSidesLV Please do not let any frustration you have with Security BSides Las Vegas damage the work of thousands of people building communities around the globe I doubt I ll change any minds, but I want people to understand my perspective on what happened between Security BSides Las Vegas, Inc and Adrian Crenshaw, better known as Irongeek to many Adrian has been a huge asset to the security and hacker communities for many years, providing videography and other services to a myriad of events- generally for free or for token assistance with expenses Until recently I considered Adrian a friend, and I still do- although I doubt he feels the same towards me I can t blame him if he no longer considers me a friend and this truly saddens me I still have a great deal of respect for Adrian and for what he does and has done for the communities he serves Adrian s website, Irongeekcom is an amazing resource, it houses a phenomenal archive of presentations from a multitude of conferences If you are unaware of the situation, it might be good to see Rob Graham s post at Errata Security, Rob has a detailed and independent view, and also see the official statement from the BSides Las Vegas Board of Directors Or maybe you ll want to ignore it altogether, many do Some folks mistakenly think this was about Adrian s views on women and is some kind of politically correct attempt to silence him that is absolutely wrong We I and other members of the BSidesLV board have defended Adrian s right to voice his opinions even when BSidesLV was challenged for having someone with some of his views on staff we defended his right to express himself and we continued to embrace Adrian as part of the BSides Las Vegas team We are a diverse community, and we have diverse opinions Security BSides Las Vegas has encouraged diverse voices from the beginning, including content some found offensive From Val Smith s brilliant social and political rant at the first event through John McAfee last year, from topics like 3-D printed sex toys to prostitution on Craigslist, we have never been shy about hosting and encouraging challenging ideas Some will remember that BSidesLV s response to an unfortunate situation with Violet Blue at another event was to invite Violet to keynote BSidesLV 2013 to make sure her voice was heard I do not want to silence Adrian I have defended his right to voice his opinions, including those I strongly disagree with, and I will continue to do so I m no Voltaire, but the quote from Evelyn Beatrice often misattributed to Voltaire himself I do not agree with what you have to say, but I'll defend to the death your right to say it applies here OK, maybe not all the way to death, but you get the idea So what happened Adrian inserted offensive popups between content hosted on his site and anyone accessing the site from Mississippi State University, apparently because of a long-running disagreement with Wesley McGrew, an associate professor at MSU Wesley has had disagreements with others in the past, but that isn t really relevant here Regardless of what Wesley said or did to Adrian, part of Adrian s response used content donated to the community and entrusted to BSidesLV to advance his personal agenda without the consent or even knowledge of those whose videos were hosted on Adrian s site BSides Las Vegas was notified and called out publicly and privately for the offensive material and once it became public, the response had to be public Sadly, the appropriate response was terminating our relationship with Adrian and stating it publicly Although not part of my decision to support the board s actions, I feel the issue was compounded because the few who saw the offending messages were students the next generation of our industry was exposed while trying to learn from community contributed content I regret the action we had to take, but I stand with the board Could we have handled it better Of course- but I m not sure exactly how Maybe the wording of the statement could have been better, but the entire board was involved in drafting the statement If you have genuinely constructive suggestions or criticisms, I welcome them That s the short version yeah, almost 800 words is the short version , but I m including a few points below to address specific comments I ve seen There s no prize for reading to the end, but if you want more context, please read on The fact that few saw the message, and that the content was available elsewhere does not change the fact that community contributed content was used to promote offensive messages in a personal disagreement No, it wasn t just an April Fools joke, I checked my calendar and couldn t find April 1 anywhere in September It may have started with that, but it ran long after April 1, and the timing of hundreds of hours of new content uploaded over the summer and a new semester at the university inevitably led to the offensive messages being seen by students and reported publicly And to be clear, Adrian is not banned from BSidesLV I would welcome him with open arms if he ever wants to attend another BSides Las Vegas Oh, and David Kennedy is a gentleman Many people are only friends when it is easy to be friends- which isn t really what I consider friendship David, thank you for being a friend with whom I can disagree and still remain friends About the public response- in the past several years I have helped to mediate a number of conflicts, both public and private, within the hacker and InfoSec communities One of the clear lessons I ve learned is that once an issue is public any attempt to sweep it under the rug is likely to backfire Had the BSides Las Vegas Board of Directors attempted to be silent on this issue we would have been called out for it, and the issue would have become public, but not in any way under our control The immediate rush by some to take sides wasn t unexpected, but it was generally disappointing I have received many messages of support, but some were concerning rather than comforting There seemed to be a significant, but not universal, split along an already stressed line those who primarily self-identify as hackers were more likely to attack BSidesLV, those who identify as InfoSec were much more likely to support BSidesLV I guess we still have work to do bridging the gap, and those of us who straddle it continue to struggle Statements like there s no room for misogynists in InfoSec are problematic for me I ve had my little battles with systemic misogyny, notable the booth babe phenomenon this led to my parody company Misogyny Networks and a few amusing encounters But there s no room for X ists in Z is troubling once we abstract it from the specifics Thierry Zoller recently shared a video on The Right to Offend , delivered by Brendan O Neill at Oxford, https youtube BtWrljX9HRA That video and https youtube Ya2nUm6UqLM by Shami Chakrabarti at the same event are powerful reminders of the importance of dissent and the freedom to offend A factor that some have overlooked is that BSidesLV is different than many conferences Security BSides Las Vegas, Inc is a Nevada Charitable and Educational Non-Profit Corporation, and a 501 c 3 The current corporation and board were built after BSides Las Vegas reorganized after earlier struggles, it was a conscious decision to create a 501 c 3 and create a transparent and structured entity- but that meant being a real corporation, with lawyers, accountants, bookkeepers, insurance, directors, officers, and policies And legal and financial restrictions It also means that we annually review and sign our conflict of interest policy and submit it to the Nevada Secretary of State it means we have our Sarbanes-Oxley-mandated Compliance Officer, and a lot of other fun things At our size it means our tax forms do not end in EZ, and they aren t completed in an afternoon It means we act like a corporation- because we are So if the response seemed a bit corporate, it was On the other hand, this structure means stability and survivability It means unusual levels of transparency for a conference, including publicly available tax records and other filings It also means that we are able to continue to offer free, anonymous, walk-in registrations since our non-profit status helps us manage expenses Hopefully you now understand my perspectives, and if you re upset with me about this at least you re upset for the right reasons Jack http://www.secuobs.com/revue/news/583396.shtmlhttp://www.secuobs.com/revue/news/583396.shtml Secuobs.com : 2015-06-24 18:09:56 - Uncommon Sense Security - No, not a real blog post, just a quick note Yes, I feel guilty about that I'm changing domain registrars and will inevitably miss a simple step and knock myself offline, but I'll be back here if I disappear Jack http://www.secuobs.com/revue/news/575307.shtmlhttp://www.secuobs.com/revue/news/575307.shtml Secuobs.com : 2015-04-19 03:55:28 - Uncommon Sense Security - I m old My hearing sucks Years of power tools, especially air tools, a few concerts with the volume cranked to 11, and age have combined with male selective hearing to leave me with a bit of hearing loss Not bad mind you, but I know I ve lost a lot of hearing range But I recently gambled on an inexpensive pair of IEMs, and was amazed at how much better they are than any earbuds I ve ever tried Even the bottom end of the Shure IEM line lets me hear things in music that I haven t heard in years I m not likely to get much value from high-end IEMs, but I may experiment And properly fit earpieces block so much noise that they shut out the world as well as noise cancelling headphones- but with vastly better acoustic range I use them all the time now But now I m walking around San Francisco a remarkable safe city, BTW and I m freaked out by the sounds isolation- my loss of situational awareness makes me uncomfortable even on a gorgeous day in a nice neighborhood I ve started walking around with one earpiece out, only listening to music through one ear so I can hear the world around me Thankfully I realized the problem in a safe environment Once again I ll leave you to connect the dots to InfoSec new toys, myopic focus, loss of big picture Jack http://www.secuobs.com/revue/news/567665.shtmlhttp://www.secuobs.com/revue/news/567665.shtml Secuobs.com : 2015-03-09 17:16:39 - Uncommon Sense Security - Q Why do you use that software It s horrible A Because it s what I know, and once you get used to it it isn t so bad Sound familiar It s what I like to call Software Stockholm Syndrome , and we re all victims Take the application I m using to write this post, Windows Live Writer Writer used to be a sweet little WYSIWYG blog editor, lightweight and versatile Sure, a little light on features, but a great little app Microsoft put their stamp on the app they acquired with the Onfolio acquisition until it had a few more features and a stunning amount of bloat And yet, I use it regularly OK, not that regularly it gets more use these days for my travel drinking blog , but I stick with it because I know it Don t laugh, pretty much everyone does it with some software Some companies are worse than others, even Apple does some things horribly- see every other iteration of the dreaded iTunes aka iTurds , or that recent OS update that shattered audio and other workflows Software Stockholm Syndrome is part of the reason that those people who s computers you fix don t want to give up their AOL accounts, or Windows XP, or whatever But it isn t just the luddites, even those of us who love new stuff cling to a few things out of familiarity Of course, newer isn t always better what, did I say Windows 8 , but if we don t question our choices we re all stuck with crappy software because it s popular I don t have a cure for Software Stockholm Syndrome, but as with many problems awareness is the first step to recovery Jack http://www.secuobs.com/revue/news/562684.shtmlhttp://www.secuobs.com/revue/news/562684.shtml Secuobs.com : 2015-02-11 04:21:27 - Uncommon Sense Security - One of the InfoSec community s greatest distractions lately has been attribution, both specifically and generically Let s start with the Sony fiasco and the FBI s pinning the attribution tail on the North Korean donkey Many people have beaten this to death, there has even been name calling over it And I don t care There are certainly questions unanswered, but I m not opposed to the idea that it was North Korea, I m just not convinced beyond a reasonable doubt The argument is lost in the greater public, everyone believes it, just like they believe hackers are all bad In InfoSec many of us refuse to blindly believe the government for a variety of reasons- political, factual, conspiratorial, and probably even astrological Here s my take- if the FBI came out and said something like Hey, remember those Snowden docs Well then you won t be surprised to hear that we re all up in North Korea s stuff and have been for years The NSA saw things come and go which prove to us that they are responsible, but we can t show you the sensitive bits for obvious reasons we would have grumble about facts and proof and stuff, but I think many of us would have bought the story more than we did with the approach they took I m not sure how Sony would have felt about that revelation, but they ve probably figured it out by now The feds told us they had proof, then released some data, some of which was refutable or inconclusive- and being skeptics, several folks in InfoSec took the data apart and poked holes in some details and raised questions about others Being skeptical is what we do Gullibility is not a great trait for a career in InfoSec Even if the feds had released what they did with the disclaimer this is imperfect, but it is all we can release because reasons it would have been better But most folks bought the story blindly, so I guess they don t need PR lessons from me If you want some good reading material on attribution, Marcus Ranum recently wrote Attribution is Hard Part 1 and Part 2, a good look at the challenges of attribution If you want more visceral posts on attribution, head over to Krypt3ia s blog for some great rants and content As for me, when I feel like getting all wound up over attribution I update and patch systems in my home and lab environments- it is more productive than pinning the attribution tail anywhere other than on my own butt The fundamental flaw with most attribution stories I see is that they are based on forensic evidence alone That means evidence the attackers were willing to let us see That s a problem for me, it means that if the apparent attacker is the real attacker I ve been beaten by a lazy or incompetent attacker, and otherwise I m unlikely to find the real culprit with my limited resources Either way, I would be better served making backups, checking configurations, and typing yum y update or apt get update into SSH sessions Don t get me wrong, for some folks attribution is important, and for many of us it is an amusing diversion If you are trying to prosecute criminals, you need solid attribution If you are doing serious threat intelligence then attribution matters whatever the hell threat intelligence means- it s become yet another InfoSec term that means so many different things that it means nothing If you have the choice between spending your limited post-breach resources on chasing attribution or fixing stuff, I suggest you fix stuff If you have truly secured your environments well and have the resources, maybe post-breach attribution will be valuable I think those situations are rare Note that I resisted the temptation to say if you ve secured your environment you wouldn t need attribution because you wouldn t get breached , I think we all know those days are long gone if they ever existed Jack as far as you can tell http://www.secuobs.com/revue/news/558971.shtmlhttp://www.secuobs.com/revue/news/558971.shtml Secuobs.com : 2015-01-30 13:57:22 - Uncommon Sense Security - A few folks have asked me about my roles on the advisory board for Intelligent Defence and as a judge for RSA s new crowdsourced track I m often thought of as Mr BSides , which is unfair to a lot of people who do a lot more than I do to build and sustain the Security BSides movement and community, and unfair to the thousands of organizers, volunteers, speakers, sponsors, and participants who make BSides what it is This also overlooks the fact that I have long been engaged with a variety of groups and events, and I work in the security industry The short version of the story is this Two big events are listening to their attendees and responding to their audiences requests, and they asked me to be involved As someone who has pushed for better content, conversations, and community engagement in numerous events and organizations over the years I jumped at the opportunities I would have to be a much bigger hypocrite than I already am to decline the requests Of course I am watching to see if these new programs have any impact on the local security and hacker communities, but the nearby BSides San Francisco and BSides London events have a very different vibe from RSA and Infosecurity Europe, and other events such as 44Con are at other times of the year My hope is that the new programs will expand the much-needed conversations about information security and security research and help grow the security community, that s why I m involved Jack http://www.secuobs.com/revue/news/557277.shtmlhttp://www.secuobs.com/revue/news/557277.shtml Secuobs.com : 2015-01-29 07:20:22 - Uncommon Sense Security - The US RSA Conference is adding something new for 2015, a crowdsourced submissions track RSA gets a stunning number of submissions each year, and it takes a long time to sort through them all- leading to a common grumble about the long lead time between submissions and the conference And as with almost any event, some question why certain talks were accepted over others RSA has been listening, and is trying this new crowdsourced track to address some of the feedback they have received You want a short leadtime for talks to allow for recent topics You want a say in some of the talks which get accepted The new track will add 12 sessions to answer these requests The Call for Papers opened today, January 29, and will close on February 27 less than two months before the event Given the size and scope of the RSA Conference, it is significant that they have taken this step I am excited to be one of the judges for this program, joining industry leaders Alex Hutton, Eve Maler, Jennifer Minella, and Rich Mogull Our role is to make sure the submissions follow the guidelines, aren t sales pitches, and to filter out any ballot stuffing which might happen See the Crowdsourced Submissions FAQ for details http://www.secuobs.com/revue/news/557057.shtmlhttp://www.secuobs.com/revue/news/557057.shtml Secuobs.com : 2015-01-26 21:09:43 - Uncommon Sense Security - My friends over at Infosecurity Europe have been listening to their attendees- and that s pretty cool From the Intelligent Defence site Infosecurity Europe's meticulous research revealed that attendees of the Number 1 exhibition and conference in Europe require more in-depth, technical research sessions The folks at Infosecurity listened, and then acted, creating this new conference which will run parallel with Infosecurity Europe Again from the Intelligent Defence site Infosecurity Intelligent Defence 2015 is a two-day, technical security conference, focusing on the latest research into vulnerabilities and exploits and sharing insight into how to defend against them The Conference provides a new and exciting platform for the latest technical research and defensive tools and techniques to be shared with the wider information security community I am honored to be a member of the Advisory council for Intelligent Defence, along with industry luminaries Dr, Eric Cole, Rik Ferguson, Trey Ford, and James Lyne The call for papers for Intelligent Defence is open until Thursday, February 12, so act fast if you want to get in on the first year of this new event Note yes, I know they spell defence and a lot of other things funny over there- like what s with all the extra u s I must now run and hide from my proper English speaking friends Jack http://www.secuobs.com/revue/news/556649.shtmlhttp://www.secuobs.com/revue/news/556649.shtml Secuobs.com : 2015-01-03 03:12:00 - Uncommon Sense Security - Another year is gone, and it was a pretty amazing one for Security BSides It is hard to believe that this adventure began five and a half years ago, with the first event happening in July of 2009 BSides has exploded since then, there have been a total of 167 BSides events globally- with 58 in 2014 alone BSides have now been held in 74 cites in 16 countries, on every continent except Antarctica 2014 brought BSides to more than a dozen new cities across the world, including the first events in Asia Some of 2014 s new BSides cities included Dubai UAE , Hyderabad India , Singapore, Bogota Colombia , Reykjavík Iceland , Hamburg Germany , and many across the US Check out the World of BSides map showing all BSides cities There are already well over a dozen BSides events on the calendar for 2015, with many more in the planning stages The latest information on all BSides events can always be found on the BSides wiki BSides is a stunning success because of the huge community of organizers, volunteers, speakers, sponsors, and participants who have come together to make something amazing The What BSides Means to Me page on the wiki has some fantastic insights into what drives us to sustain and grow BSides, it is worth a read Jack http://www.secuobs.com/revue/news/552852.shtmlhttp://www.secuobs.com/revue/news/552852.shtml Secuobs.com : 2014-12-30 03:34:42 - Uncommon Sense Security - As promised, that other hospital tech incident I was leaving a friend s room right after the nursing shift changed and the new nurses were beginning their rounds As I was preparing to leave I heard the nurse outside my friend s room call down the hall Is your computer working I paused in saying my goodbyes and we listened to the nurse muttering and typing ever louder on the mobile cart keyboard Not good Especially since that computer stood between my friend, and every other patient, and medications The nurse popped in, said they were having computer issues, and that she was going to pull his medications manually- the delay would only be a few more minutes And true to her word, his meds arrived only about 20 minutes late thanks to a manual backup routine for checking out medications As I left I saw that two of the cart computers were displaying unable to authenticate errors I don t know what the problem was, and my friend never found out I guess he was too busy being seriously ill to diagnose authentication failures Not bad, eh There was a system failure, but backup procedures were in place to prevent serious problems High fives for all Not so fast That 20 minute delay doesn t seem significant, unless of course you were the one waiting for medication Most critical meds would be administered intravenously so wait, those are behind the same system But still, only a 20 minutes delay except the process had to be repeated for each patient until the error was resolved, and the manual paper records had to be transferred into the computers when they were restored- so at the end of their shift the nurses were further distracted from patient care to do data entry I m not repeating these medical computer issues to throw stones at the medical profession, or at technologists working in healthcare- but to illustrate some fundamental issues with technology and security In the first tales of poor communication, there seemed to be be a few symptoms and causes, but one crucial result Data input was inconsistent and maybe not as easy for medical professionals to use as it could have been Probably related since there often wasn t timely info available in the computer system, people relied on it less, and thus input less frequently- a classic chicken and egg situation The critical end result was delayed patient information, but there was also the sadly familiar case of a system becoming a burden and possibly even a liability when it should have been an asset Usability, user buy-in, and management oversight all needed to improve to move this forward I m sure that sounds familiar, although hopefully in different contexts Today s tale is a bit different, it is about a failure to understand the consequences of operating on backup procedures We have a plan for when things go wrong is great and all, but if it doesn t let people do their jobs in a reasonable manner without undue consequences your fail-safe is a failure Granted, these are extreme conditions delayed email is not the same as delayed patient care, but there are still lessons to learn Oh, and you ll note I didn t mention compliance, that wasn t an oversight I m not an expert on healthcare compliance unlike many who pontificate on it but can t spell HIPAA and I don t want to blindly speculate on things like what perversions to pain management are imposed by the war on drugs and what that means for procedures for dispensing controlled substances If potential impact on patient care doesn t get you thinking, I hope you aren t working in healthcare Jack http://www.secuobs.com/revue/news/552284.shtmlhttp://www.secuobs.com/revue/news/552284.shtml Secuobs.com : 2014-12-17 02:57:26 - Uncommon Sense Security - The first Hancock story I mentioned last week is the opening story in his new book He tells the story better than I do I m not far into the audiobook, but I wanted to hear a bit of it the other day between chapters of Kim Zetter s new ish book on Stuxnet That one is good, too- Zetter balances making the story approachable to non-techies with detail enough to keep those with some knowledge of the events engaged Unfortunately, the audiobook version means I don t have access to the extensive footnotes unless I buy a print copy, too- but I spend enough time on the road that the audiobook was the fastest way I would get to digest the book A note on the audio of these two books- the reader of Zetter s Countdown to Zero Day speaks slowly and clearly, so slowly that I find the book much more listenable at 15x speed Herbie Hancock reads his own book and tells his own stories, his delivery is, not surprisingly, fantastic Yeah, I still owe you that other hospital story Remember, patience is a virtue It is not one of mine, but that s another story Jack http://www.secuobs.com/revue/news/550542.shtmlhttp://www.secuobs.com/revue/news/550542.shtml Secuobs.com : 2014-12-16 12:21:31 - Uncommon Sense Security - Sometimes stuff gets put into perspective With force I was recently reminded of a few things which happened several months ago while I was visiting friends in hospitals this happens more and more as you get old- or they are visiting you All events occurred at large, modern facilities- the kind with computers in every patient room plus roving computer carts, and all the patient info readily available to authorized personnel Of course, by all I mean all information which has already been entered into the right systems , which leads to my first observation Hanging out with my friend for an afternoon I got to overhear some of his conversations and frustrations with the medical staff It was a busy afternoon for him, no sooner had one team of specialists left him than another would wander in Each team came in with a handful of patient files, and checked up on him in the computer when they were talking to him And he invariably had to fill them in on some test result or comment from other specialists about his challenging situation- it was common enough that he kept a journal to make sure he could pass the latest info on to his caregivers Remember, computers everywhere, in rooms, staff stations, and mobile carts Oh, and paper files in a binder outside each patient s room And that wasn t enough to get info shared in a timely manner The computer systems were apparently less than efficient, so data input was tedious- thus forcing the reliance on paper, further slowing the timely input of data Somewhere the technology became a burden instead of an aid, and that compounded aggravation for the people who relied on the systems to do their jobs We ve all seen poorly implemented technology like this, but seeing it in a hospital where a patient, your buddy, has to keep notes to make sure he bridges failures in communication with medical staff, that s pretty terrifying Just as this was sinking in, one of the aides came in and took his vital signs- and scribbled them down on a scrap of paper to input somewhere else later This was not an anomaly, my buddy assured me that happened every time his vitals were taken throughout his stay, expensive machines display numbers, aides scribble them on scraps of paper for later input Damn, that s the way to share important information in a timely manner And efficient, too doctor at office That afternoon I wandered down to the waiting room a few times as doctors were examining him One time I overhead an interesting conversation, there was a pretty ugly technical problem and the person looking into it was the kind of network admin I want working in healthcare I m sure he thought the waiting room was empty as he used the phone in the hall, so I got to overhear a pretty candid exchange He was investigating a connectivity problem with the wireless telemetry system, the system which monitors patients and reports the vitals and more to staff throughout the floor Wireless telemetry systems are generally used for patients who need continuous monitoring, but are somewhat mobile, such as post-operative recovery and patients with self-administered pain management The telemetry wireless was down and patient data wasn t filling the screens in the halls and nurses stations, and that threatens patient care The admin was polite, and chose his words carefully, but he was obviously livid It was clear he was a network guy, not a medical professional, but his primary concern was patient care as you would hope in a hospital It sounded like poorly planned maintenance had caused the outage, and proper procedures weren t followed, resulting in the outage Another pretty scary scenario given the systems affected by the outage As appalled as I was that this happened, I was impressed with the admin s focused outrage Not only can t this be happening now, it can t ever have happened, and it can t ever happen again was one comment he made over the phone, a line I m not likely to forget soon At the end of the call he explained to whoever was on the other end of the line that the issue would be reported to senior management- not IT management, but senior medical management As bad as it was that this problem happened, I was glad to hear that a network admin had a direct path to report issues to appropriate executives directly, even in a huge facility like redacted That s the way it should be, the head of medicine needs to know about preventable and unusual threats to patient care, regardless of the source Imagine what technology could accomplish without insular silos disconnecting technology from consequences- maybe my buddy could put away his notepad Another incident happened as I was leaving a different friend s room at the end of visiting hours in another large, modern facility But that s a story for another day, I ll leave you to reflect on this little set of horrors until then Jack http://www.secuobs.com/revue/news/550387.shtmlhttp://www.secuobs.com/revue/news/550387.shtml Secuobs.com : 2014-12-12 12:14:18 - Uncommon Sense Security - Herbie Hancock s other story As promised, the second lesson from Herbie Hancock s interview a couple of weeks ago Hancock was asked about the ease of musical creation and experimentation with modern computers and electronics Not surprisingly, he loves the lower barrier to entry and the ease of experimentation- especially compared to the amazing lengths required for electronic musical experimentation in his early days Then he said something striking, he talked about having to learn all of the old ways, the basics, the fundamentals- and then having to unlearn them to get the most out of new musical technologies The foundation provided a deep understanding, but could also hold him back from fully utilizing the new tools that applies to many advances in technology, from understanding point ignition and carburetors before tackling modern computer controlled ignition and fuel injection, to advances in networking, virtualization, and cloud technologies Mastery includes knowing not only what to learn, but what to unlearn, and when- and knowing how to unlearn without forgetting I m pretty good at the unlearning part, the rest I m still working on Jack http://www.secuobs.com/revue/news/549868.shtmlhttp://www.secuobs.com/revue/news/549868.shtml Secuobs.com : 2014-12-11 12:32:59 - Uncommon Sense Security - Herbie Hancock 2010 by Guillaume Laurent Herbie Hancock After the horror of faux country bubblegum abuse of Crazy I saw part of an interview with Herbie Hancock, it more than made up for the horror Hancock has a new book out, Possibilities I haven t read it yet, but it is in my Audible queue for my next road trip Based on the interview I heard, I m really looking forward to hearing the book in his own voice Miles Davis 22 Miles Davis The first story came from the days when Hancock played with the great Miles Davis During one show Herbie played an obviously wrong chord, and he was mortified at his mistake Miles reaction was to pause very briefly, then play the mistake into the song until it was no longer a mistake, but part of the performance And nothing was ever said about the mistake- because it was no longer a mistake At face value, that is a great story about a gracious and talented musician Beyond that, you can find a lot of inspiration and run with it as it moves you It certainly can be applied to the mayhem of InfoSec in a few different ways There are a couple of quotes we often hear in InfoSec and in the rest of life , both carry the same message, but come from two very different people In recent years, the more common quote comes from Mike Tyson Mike Tyson Portrait Everyone has a plan 'till they get punched in the mouth The older quote, which I ve heard attributed and misattributed to many people, is from Helmuth Karl Bernhard Graf, translated and paraphrased from the original German Helmuth Karl Bernhard von Moltke No plan survives contact with the enemy As accurate and quotable as these quotes are, they are negative I think Herbie Hancock s story of Miles Davis dealing with the unexpected is a much better model for us and the challenges we face, no matter how idealistic that may be Tomorrow you can have the second story Jack http://www.secuobs.com/revue/news/549670.shtmlhttp://www.secuobs.com/revue/news/549670.shtml Secuobs.com : 2014-12-10 11:54:39 - Uncommon Sense Security - File Patsy Cline IIjpgWillie UK2K7 2 Are you either of the people shown above If not, please don t try to sing Crazy The past several weekends have involved a fair amount of manual labor, which has reminded me how happy I am that I don t do that kind of thing for a living anymore On one of my beer breaks I flipped on the TV to see what horrors it held for me, and I was reward with one horror, and a couple of great stories First, the horror Someone who was neither Patsy Cline nor Willie Nelson was attempting to sing Crazy on what passes for country music TV It was pathetic Patsy Cline made that song hers, but Willie wrote it and his take on it is authentic There are some songs that simply shouldn t be done by folks who aren t up to the task, Crazy is one of them Stick to that pitch and tempo corrected bubblegum country crap, don t defile masterpieces You may be wondering about the InfoSec angle here- but there really isn t one Most of us who are in InfoSec did it very badly and passed it off as good enough for quite a while when we started out- and many of us still do That s the nature of what we do, we rarely have the luxury of delivering masterpiece quality work, we do the best we can in the situation expecting perfection is naïve in our world In InfoSec, even Patsy Cline would be reduced to singing 99 bottles with some regularity- and as with pop music, in InfoSec we get what the market demands and what the market will pay for By the very nature of what we do we are technicians, not artists If I were deep I might reflect that this may be why so many in InfoSec have artistic outlets- but that s a simple answer to the complexity of humanity Now, about the good stories those are for tomorrow Jack http://www.secuobs.com/revue/news/549386.shtmlhttp://www.secuobs.com/revue/news/549386.shtml Secuobs.com : 2014-11-26 18:08:42 - Uncommon Sense Security - ISC 2 member Read on Not a member You may not care about this one- although if you are in the InfoSec field the results of the election may be of interest It is election time for the ISC 2 again As I ve said before, I don t have much hope for fixing that mess, but some folks are really trying to make a difference, and if it won t die I guess I should support them The candidates are listed here As you peruse that list, you ll note that all candidates hold some ISC 2 cert, most CISSP- that s because it is a requirement for board service If I were educated I d start tossing around phrases like selection bias, confirmation bias, sunk costs, and stuff like that Instead I ll just say that I would prefer a more diverse board The US is well represented, and the slate is almost exclusively male But, there are some folks out there trying to reduce the suck, and they believe they are making progress Vote for the ones you think will try to steer the beast in the direction you want For me, I m happy condemning Wim Remes to another term of board service, and would happily sentence Allison Miller to join him That left two votes, I removed US males in an effort to push diversity and made my choices from the remaining three Use whatever method you like for choosing candidates, but vote if you are eligible And I didn t even get a stupid I voted sticker Jack http://www.secuobs.com/revue/news/547411.shtmlhttp://www.secuobs.com/revue/news/547411.shtml Secuobs.com : 2014-10-13 21:46:35 - Uncommon Sense Security - If I have seen further it is by standing on the shoulders of giants Sir_Isaac_Newton_by_Sir_Godfrey_Kneller,_Bt Most famously attributed to Sir Isaac Newton, this quote reflects the sentiment of a new project In InfoSec we all stand on the shoulders of giants It was just supposed to be a talk at DerbyCon, but as I dug into the topic I realized it needed to be more than just one talk Another relevant quote is George Santayana s oft-misquoted Those who cannot remember the past are condemned to repeat it In information security we have a very bad habit of ignoring the past many times it isn t even a failure to remember, it is a failure to ever have known who and what came before Thus, the Shoulders of InfoSec Project It is an attempt to compile a lot of information about early figures in InfoSec and hopefully it will move beyond just the early figures There are some great resources out there already, notably the University of Minnesota's Charles Babbage Institute which includes a great set of oral histories of security luminaries The goal is not to compete with, but to complement and highlight other relevant projects A note about the name the project s name is Shoulders , not Giants , because you do not need to be a giant to offer a shoulder to help others see further Many people There are two components to the project at this time, a low-volume blog and the wiki The project wiki is a work in progress, it includes an ever-expanding list of names, each with a dedicated page including links to relevant information, and will hopefully gain some more color and context as the project develops The wiki also includes a references and resources page which has links to several related sites and projects The presentation I delivered at DerbyCon is up on Adrian Crenshaw s Irongeek site if you would like to see some of the ideas and people featured in this project Suggestions and contributions are welcome, see the wiki for information about contribution to the project Jack http://www.secuobs.com/revue/news/539870.shtmlhttp://www.secuobs.com/revue/news/539870.shtml Secuobs.com : 2014-06-23 17:01:05 - Uncommon Sense Security - This year I ve been thinking about fundamentals a lot That includes patch management, and in preparing a presentation on the topic I pondered the question What is the best patch management tool I thought back to my favorite patch and systems management tools from past jobs when I ran mixed but mostly Windows networks for small businesses That reminded me of a lesson about tools I learned many years ago What is the best insert category here I believe there are two answers The one you have The one you know Note that these may not necessarily True, but in the real world truth can be pretty fluid There certainly may be better whatever category tools than the ones you have now, but you can t make a difference with them tomorrow- and a little better tomorrow is our goal The tools available to you, and which you know how to use, those are the ones you can make gains with immediately If you really are pushing the limits of the tools you have available, consider what works and what doesn t work with the old tools- then look for better tools and processes, making sure you don t lose anything you currently rely on in the transition or at least know what trade-offs you are making Get the most out of what you have and you ll make progress and be better prepared for when the elusive Budget Fairy appears with the Magic Resources Dust- you ll be better able to make the case for new tools if you can show that you are pushing the existing stuff to its limits as we all know, the Budget Fairy is hard to find, and harder to get money from The bottom line is that we can t let our existing tools artificially limit us I ve heard variations on I can t do X without a new tool since my days as a mechanic- and while it is sometimes true, it is sometimes just an excuse for doing nothing Jack http://www.secuobs.com/revue/news/520259.shtmlhttp://www.secuobs.com/revue/news/520259.shtml Secuobs.com : 2014-06-17 20:31:03 - Uncommon Sense Security - That s a silly question I wasn t going to comment on the current struggles of the Board of Directors for fear of adding to the Pointless InfoSec Drama, but I need to say a few things about it I am not an OWASP insider, but I do support their mission https wwwowasporg skins monobook ologopng OWASP has done a lot of great things, and continues to do so today As I said, I m not an insider, but there appear to be some struggles at the global Board level and possibly organizationally at the national and international level And I don t really care- I hope it gets sorted out soon, but the power of OWASP and a myriad of other organizations, not just in InfoSec and tech is largely in the local and regional chapters and events, and in the OWASP projects If you believe in OWASP or any other organization struggling with high-level issues , I encourage you to focus your efforts locally, that s almost always where you can make the most difference In the case of OWASP, there are also the numerous projects- you don t need to be local to work on them As Tip O Neill frequently observed, All politics is local Please don t waste time on drama, focus locally and keep up the good work Jack http://www.secuobs.com/revue/news/519348.shtmlhttp://www.secuobs.com/revue/news/519348.shtml Secuobs.com : 2014-04-22 18:36:28 - Uncommon Sense Security - The more conferences I run the more sympathy I have for other conference organizers, even the big commercial ones, and the more inclined I am to follow their rules and requests- but I expect the conferences to have a clue about what s involved in delivering a good presentation and facilitate that, not hinder it If there are glitches at a BSides or other smaller, volunteer-run, or new events I m OK with that It happens What I can t stand are conferences which try to manage the speakers in ways that prevent delivering quality presentations First and foremost, I hate having to rely on the conference s laptops for presentation I completely understand the desire to avoid the regular struggles of getting the right settings between a new laptop and the projector or display at the beginning of each session, but most house laptop situations I ve been in are far worse than the lost couple of minutes of the VGA adapter shuffle The most common gripe I have is the loss of presenter view I want my notes, damn it- stop stealing them from me If I have to use your damned laptop, with its lack of fonts, odd and or old versions of software, aspect ratio distortion and such- please, in the name of all that is good, give me presenter view And then we have your slide templates I m sorry, but they suck Every Single One Of Them Sucks Sure, mine suck, too- but in ways I expect Your templates and themes take away layout flexibility, they screw up notes pages, and sometimes even hinder basic functionality I rely on But then, you want me to use your crappy laptop, so those functions don t work anyway I get it, you run cons, you don t speak at them, so I ll forgive you for past transgressions But not future ones, our audiences deserve better Jack http://www.secuobs.com/revue/news/509627.shtmlhttp://www.secuobs.com/revue/news/509627.shtml Secuobs.com : 2014-04-12 03:05:47 - Uncommon Sense Security - Adam has a new book out, Threat Modeling Designing for Security, and it is a great resource for anyone in security As with New School of Information Security, this is one to grab, read, and keep on the shelf e-shelf IMAGE The layout is great, after a short introduction Adam takes you into an easy, but informative practice exercise After the exercise there is a more in-depth introduction, which builds on what you learn in the exercise- and also answers some questions which inevitably come up during the exercise From the first couple of chapters the book gets progressively deeper into threat modeling theory and practice Even if enterprise threat modeling isn t your world, reading the first few chapters will help you think about securing systems and software more clearly and logically I know there are different views and opinions on threat modeling theory and methodology, but even if you approach it differently from Adam, I think you ll find it informative and valuable Those who know me know that I m a real fan of Adam s work, he explains complex topics in easy to understand ways- concise and clear without dumbing things down Gunnar Peterson, who actually knows about this stuff, has an in-depth review of Threat Modeling on his great 1 Raindrop blog Grab a copy and give it a read Jack http://www.secuobs.com/revue/news/507897.shtmlhttp://www.secuobs.com/revue/news/507897.shtml Secuobs.com : 2014-03-20 13:46:32 - Uncommon Sense Security - You may have heard that some companies lost some credit card data recently I think it was in the news Come to think of it, a couple of weeks ago I featured a great guest post by Jeff Man on the topic Fotolia_43578938_XS In recent stories it has come out that some of the compromised companies ignored thousands of alerts , and many folks are heaping scorn and derision on the compromised companies because victim-blaming is easier than looking inward and securing their own stuff Also, unless we have a historical record of normal alert levels for these environments, and average false positive rates, with statistical deviation analysis- let s not assume X-thousand alerts means a damned thing I generate thousands of alerts in my own labs playpens without even trying, I can t imagine what kind of background noise a global retailer has Oh, and millions of people had cards compromised And the impact on the vast majority was nothing At least nothing more than getting a new card in the mail The payment card security system is, in my opinion, badly broken- but it functioned as designed, and consumers were protected in that the built-in margins designed to cover fraud covered the fraud to protect the consumers There has, of course, been renewed cry for chip and pin cards to replace the US-only magnetic stripe cards of antiquity we cling to And, of course, the expected backlash against chip and pin being an imperfect solution, and thus not worth the effort- forget that getting a little better tomorrow is still a laudable and arguably the only viable goal And all of this misses a huge opportunity An opportunity to make consumers like me happy I understand that I am not normal, on a bewildering array of scales of normalcy, but I m not alone in traveling outside of North America I have found myself in subway and train stations late at night, across Europe, with a pocketful of useless US credit cards and no way to buy a ticket without a chip and pin card, the standard for most of the rest of the world That s just plain stupid Fotolia_47118878_XS I ve been plenty of other places where my retro-tech US cards didn t work, but the late at night in a transit station one REALLY sucks Now there s word that we ll finally start moving away from the old magnetic stripe cards and the latest is that we will get chip and signature , not chip and pin- so much for compatibility What we have is an opportunity to make customers and some merchants happier by standardizing technology across the globe- and we could slide a little increase in security into the process at the same time But noooooo The payment card industry gets it wrong, again Glad we never miss opportunities like that in InfoSec Jack http://www.secuobs.com/revue/news/503972.shtmlhttp://www.secuobs.com/revue/news/503972.shtml Secuobs.com : 2014-03-11 04:38:56 - Uncommon Sense Security - I think I have I am, of course, talking about the annual week of madness in San Francisco Security BSides San Francisco was another great event, lots of diverse and thought-provoking content, and plenty of good conversations- as we expect from BSides The planned lead organizer for BSides San Francisco had a change in career path, and a few of the BSides regulars had to step up and make the event happen- it is amazing working with the folks who make BSides happen, it looked easy from the outside And there are new folks ready to take the lead for BSidesSF 2015, so we ll see you there next year Believe it or not, there was a lot more than BSides happening that week The RSA NSA controversy didn t appear to have any impact on the RSA conference, there were almost 30,000 people in attendance and a record number of vendors, with an expanded vendor expo area I was pleased to see a significant reduction in the number of scantily clad women working the booths, but I m still struggling to understand the significance of a boxing ring in an infosec booth, other than as a bad metaphor And nothing, absolutely nothing, says enterprise security to me like some dude juggling while riding a unicycle in an expo booth At least he was fully dressed I had a lot of good conversations at RSA again this year, but the expo floor seemed unusually devoid of innovation I didn t get to do a full crawl of the smaller booths on the edges of the big hall, but it really looked like a yelling about nothing year to me Terms like threat intelligence and big data were everywhere, but definitions for threat intelligence were often unintelligible Patrick Gray s interview of Marcus Ranum summed it up pretty well 37 second mp3 I did not make it to TrustyCon, the event spun up to provide an alternative for those who pulled talks from RSA, and a place to focus on trustworthy computing- but it sounded like it had some great content and I hope it grows into a focused event to provide insight and context to the challenges of privacy and security in our post-Snowden world They seem to be off to a good start Yes, some folks seem to be playing the RSA NSA story for media and PR, but many folks involved in TrustyCon are, I believe, truly sincere Once again the real value of the RSA conference for me was having thousands of people in one area, I had several informative meetings, and many good conversations in and around San Francisco that week Speaking of which, as soon as the Spare Time Fairy pays me an overdue visit, I want to write up some of what s new with Denim Group s ThreadFix project, cool things are happening there Jack http://www.secuobs.com/revue/news/502196.shtmlhttp://www.secuobs.com/revue/news/502196.shtml Secuobs.com : 2014-02-13 22:47:35 - Uncommon Sense Security - Today I present a guest post, writing by my friend Jeffrey Man This is a very well thought out piece on Target, PCI, and surrounding issues There has been much discussion online and in the media as to whether or not Target was compliant with PCI DSS at the time of their breach Details of the compromise are still not completely known, but there have been some new details released that while not definitive are starting to give us at least an idea of the path that the attackers took to gain access to Target s network, the cardholder data environment, and ultimately the POS systems where malware was installed to capture transaction data and ultimately exfiltrate the data out to the attackers I ve been debating with several colleagues how to best approach a discussion of whether or not Target was compliant at the time of the breach We are all seeking an informed and objective way of discussing this issue from several vantage points, basically trying to decide the points of failure if any , and which specific PCI DSS requirements led to the compromise Ira Winkler published an article for Computerworld yesterday where he discusses 6 failures that led to Target hack Ira very astutely points out that there really wasn t a single failure that led to the Target breach but in actuality there were a series of systematic failures that allowed the compromise of millions of credit debit cards and other customer personal information I ve been involved with numerous companies over the years that are attempting to recover from a breach or compromise and Ira s words rang true there is almost never a single point of failure but a series of actions and inactions that lead to the event I also thought that the six failure points that Ira discusses would be a great springboard for an objective discussion of whether the PCI DSS controls applied, were implemented, or were not being followed by Target Let me start with summarizing the 6 APPARENT failure points that Ira pointed out in his article 1 Lack of or improperly implemented segmentation controls to isolate the cardholder data environment CDE 2 Lack of or improperly deployed IDS IPS solutions 3 Failure to detect compromise of internal software distribution system or failure to detect changes modification of the software being distributed internally really two failures, IMO 4 Lack of whitelisting solution to protect the POS systems 5 Lack of detection of the compromise of systems commandeered to enable the collection of the transaction data and subsequent exfiltration and 6 Lack of detection of the exfiltration of the data itself My intention is to foster a discussion about these failures as they pertain to the PCI DSS controls specifically and how they are interpreted and applied for the typical large merchant I have had numerous retail customers over the years, some recovering from a breach some trying to prevent one all trying to comply with PCI DSS and not spend too much time, money and resources The failures discussed point out the difficulties of implementing adequate security controls in a typical retail environment, and also the complexities of consistently interpreting and applying the PCI DSS controls I ll get the ball rolling with some initial thoughts 1 Network segmentation is not a PCI DSS requirement, but a highly recommended means of limiting a QSA's scope for validation but often means the systems to which our clients' apply the PCI DSS controls Evaluating adequate segmentation is highly subjective so this point is debatable as to whether or not Target failed to adequately segment their CDE, or whether their QSA approved it or not Frankly, if this proves to be the actual path of compromise, I think this will serve as the death knell for segmentation and limiting scope altogether or should The lesson learned should be to apply the PCI DSS framework across the enterprise Period No exceptions 2 IDS placement is also debatable - as the standard requires perimeter placement to and at strategic points within the CDE It's likely that the hackers circumvented the perimeter by finding what effectively was a backdoor trusted ingress path via the HVAC Ariba system This could be a simple case of putting alarms on the front door and leaving the back door wide open 3 This one is a little tougher to defend On the one hand, these systems should have clearly been considered in-scope for PCI and thus should have been in the CDE But, because they perform a supporting function and not actual transaction processing, I could certainly understand if the focus was more on the controls associated with Requirement 6 as it pertains to change management, software development, testing, and so forth and not so much on the hardening, logging, monitoring controls put forth in other sections of the PCI DSS 4 While whitelisting solutions for POS systems are fairly common, they are not technically required The requirement for these systems is for Anti-virus malware solutions to be installed, receiving automatic updates, and periodically scanning the system, have FIM installed and reporting alerting, and receiving critical patches within 30 days of release I mention these three categories AV, FIM, Patching because these are the categories that many of my retail clients try to address through compensating controls using primarily a whitelisting solution as an alternative The use of a compensating control is allowed for technical limitations in this case the limitation was the difficulty in successfully administering large numbers of geographically dispersed systems many of which were not routinely online in a timely manner according to the specific PCI DSS Requirements Presumably Target either had the primary controls in place, or a compensating control alternative such as a whitelisting solution, or they did not IF they did, the discussion should focus on whether the control actually worked, and I would point out that as a QSA I was not supposed to judge whether a solution actually performed as advertised, but that it advertised meeting the goals of a particular requirement 5 The commandeering of these systems should have been detected, so this should be an easy one to say was non-compliant at the time of the breach The only rebuttal might be the logical location of these systems outside the CDE and whether they were being maintained and monitored according to PCI DSS requirements But the failure then was the lack of detection of the transfer of data oh wait, that s the next failure point 6 I can t get past this one You have to assume that the CHD data started out inside the CDE and was exfiltrated somehow outside of the CDE and ultimately outside of the enterprise That should have been disallowed by outbound firewall rules, so either the attackers used trusted existing outbound ports services protocols, the rules were non-existent that would have prevented the egress, or they compromised the firewalls and added their own rules My initial thought was that they would likely have used existing rules to get the data out but then there s the matter of the destination PCI DSS is supposed to prohibit the use of any rules, so maybe the attackers did have to compromise the firewall and at least add an IP or two to an existing outbound server group I want to give the benefit of the doubt here, but properly implemented PCI DSS controls should have prevented or at least alerted on this egress That is my current thinking based on these failure points What do you think Feel free to agree or disagree but by all means you are welcome to contribute to the discussion Jeffrey Man http://www.secuobs.com/revue/news/497777.shtmlhttp://www.secuobs.com/revue/news/497777.shtml Secuobs.com : 2013-11-19 02:15:23 - Uncommon Sense Security - When is a patch not a patch When it is not a patch That seems rather obvious, but sometimes we lose sight of the obvious when talking about patching and vulnerability management and a lot of other things In my day job at Tenable, we think about vulnerability management a lot, it is what we do We also think about patching and patch management a lot, even though that is not what we do I often wish companies who sell patching and patch management systems were similarly honest about their core competencies, but that s a rant for another day- it is not quite floor wax and dessert topping territory, but patch and vulnerability management are two related things I do not want coming out of a single can, no matter how shiny or tasty they claim to be Back to the topic, patching and not patching Patch Tuesday has driven many into a myopic patch mentality, sometimes that works well, sometimes it works well enough, and sometimes is leads to stupidity Tangent number two I was always a fan of Shavlik, I don t know what VMware was thinking when they acquired and nearly ruined them, but thankfully Shavlik has survived, escaped, and will hopefully recover fully But patching isn t always the answer when a vulnerability is found there should be a logical process for dealing with it, and while slap a patch on that bad boy is often a great answer, and frequently the easiest answer, it is not the only answer Let s say you ve found a vulnerability or more likely thousands in your environment, where do you start to deal with it There are a handful of questions you need to answer before acting In no particular order Is it real I wrote a post on positives and negatives, true and false, some time ago- check out Are you Positive for thoughts on the topic The bottom line is that you need confidence in your findings Acting on bad info is rarely a good idea unless you are a politician Are the vulnerable systems exposed We don t always think about online exposure the way we should We generally understand threats that come to us, whether in the form of physical threats to our homes and offices, or services exposed to the Internet In the physical world, we generally only think of going to threatening places in high-risk environments, such as high-crime areas or potentially dangerous places such as mountain trails or beaches known for undertow The problem with that is that the entire Internet is pretty sketchy, not just the high-crime areas Legitimate sites are compromised, DNS is hijacked, bad things happen all over- so venturing out is always a little risky Any system receiving email or accessing the Internet has some exposure Where it gets more tricky is with the indirect exposures- systems which are exposed via pivot or relay This often means systems which are not directly exposed to the Internet, but which are exposed to Internet-accessing systems This sort of attack path analysis can be challenging, but it does add context to our efforts at understanding exposures and mitigating vulnerabilities Forgive me for not addressing air-gapped systems here, but you will note I am not addressing unicorns, either Do we care Should we care If so, how much Do the vulnerabilities really expose anything important How much exposure are you comfortable with What risks are posed by potential exploit of the vulnerability What risks are posed by the patch or mitigation Does the cost of mitigating the vulnerability make sense Spending a dollar to protect a dime is probably not the best use of limited resources Are there known exploits in the wild for the vulnerability There may be unknown exploits, but ignore known Bad Things at your own risk Is a patch the best answer Maybe you should just uninstall or disable the application or service If you don t need it, kill it Maybe there are other mitigations like network segmentation or other ACLs, configuration settings, permissions restrictions, or tools like Microsoft s EMET which can reduce or eliminate the exposure This requires an understanding of the implications of each mitigation- sometimes it is easiest to just patch , but patching is not without risks Can you recover quickly from whatever mitigation you deploy Sometimes unwinding a bad patch is as simple as logging into your patch or systems management server and removing the patch Sometimes it involves re-imaging thousands of systems If faced with the latter, how would you handle it besides updating your resume I m sure you can think of more, but this list should start or re-start a conversation I hope you ve already had several times I can t write about patching without addressing a little problem I thought was pretty much behind us, at least for Microsoft bad patches For years I have advocated rapid patching of Microsoft systems since they have done an outstanding job of QA on their updates Back in the days when I was an admin in the trenches I patched fast, with a 72-hour patch target for desktops and laptops, and a 10-day target for most servers Obviously, some testing is needed, and a lot of testing is needed for critical systems- but you have to decide if the risk of deploying a patch outweighs the risk of not patching, and how other possible mitigations might change the risk This has been made a little trickier by the past year s string of less than perfect patches coming from Redmond I chatted about this topic with Pat Gray on a recent episode of his outstanding Risky Business podcast Microsoft updates are the largest software distribution system in the world, and the quality of the patches is still generally very good Generally very good might be good enough to push patches to a lot of systems in a rolling deployment after a short test cycle, it is probably not good enough to skip thorough testing before testing on critical systems In the immortal words of Spock Patch well and prosper Or something like that Jack http://www.secuobs.com/revue/news/481728.shtmlhttp://www.secuobs.com/revue/news/481728.shtml Secuobs.com : 2013-11-09 17:46:50 - Uncommon Sense Security - Headed to the Microsoft MVP Summit If so, please stop by and join me at an informal gathering for Security MVPs and like-minded folks on Sunday night, Nov 17 Drop in anytime between 7 and 10 30 and say hello Stay for a few minutes, or a couple of hours- and enjoy snacks, drinks, and conversation Send me an email at jdaniel at tenablecom for more details and venue info It is very close to all the MVP goings-on in Bellevue, a short walk from any of the event hotels This reception will be sponsored by the nice folks who routinely send me a paycheck, Tenable Network Security No sales pitches, banners, or anything like that- Tenable is just encouraging conversations, as we often do See you there Jack http://www.secuobs.com/revue/news/480007.shtmlhttp://www.secuobs.com/revue/news/480007.shtml Secuobs.com : 2013-09-14 20:46:02 - Uncommon Sense Security - Let s turn a common theme in InfoSec upside down Can you trust, and should you hire, former hackers government employees In the still-unfolding Snowden saga, we now have allegations that the US government, specifically the NSA, has attacked cryptography at scale, including the software, protocols, and algorithms we rely on for secure and private communications On one hand, I have to say duh, that s their job , but it certainly appears to me that they have significantly overstepped their authority and damaged our ability to secure our data While I hold some senior NSA officials, notably General Alexander, partially responsible for part of this abuse, I believe that the real blame lies with past couple of presidents and the Congress for their utter abandonment of responsibility to the Constitution, and to us, the citizens it is designed to protect The NSA as is true for much of the US federal government is full of great people, working very hard to properly execute their assigned tasks But, if your assigned task is something like fighting terrorism, or combatting drugs, or child pornography- it is only natural that you will lose perspective in the face of the horrors you are trying to combat Don t get me wrong, I know that a lot of folks are in the war on whatever as profiteers, but I believe most people are trying to do what they believe to be right That s where the elusive property of oversight comes in Or in the case of things like the abuses of the NSA, oversight should come in, but presidents, congress critters, and others have abdicated their sworn duties Back to the question at hand Having NSA on your resume has traditionally been seen as an asset We now have credible claims that government agents have subverted the security of the systems we rely on, in some cases by covert infiltration of private enterprise Imbecile executives in the InfoSec industry like to make pronouncements like We don t hire hackers , showing their ignorance of what hacker means to many people, and limiting their pool of talented recruits Computer criminals have a hard time concealing their past convictions, but covert agents have the power of the intelligence community behind them to create squeaky-clean résumés Is that former NSA researcher, the one who is now working on your software, really former Thus, we have to ask Is it time for NSA to become scarlet letters on a résumé For the record, I don t think so- but I do believe it is past time to reflect on who can you trust before hiring people and putting them in positions of responsibility, regardless of their past And that s a belief I am confident the NSA shares with me Edward_Snowden-2 Image Attribution Laura Poitras Praxis Films Jack Note I have not provided links to anything in this post There are so many sources, with so many revelations, counterclaims, and outright lies that I ll leave you to use the sources you trust, and reach your own conclusions on the reality and implications of this mess http://www.secuobs.com/revue/news/468671.shtmlhttp://www.secuobs.com/revue/news/468671.shtml Secuobs.com : 2013-09-12 15:19:39 - Uncommon Sense Security - I realize that I m overdue on providing an update on all things Security BSides, so here is a start Usual disclaimers apply, I m writing personally, not on behalf of BSides or any of the BSides event or organizations, etc Bsides_Logo_No City_SM This weekend will be the 92nd Security BSides, in Augusta, Georgia, a new city for BSides That makes 92 events in just over four years, spanning 51 cities, 11 countries, and 5 continents And event 100 is just over a month away In reality, there will be three events on October 18, numbers 99-101, so let s call it a three-way tie for 100th That three-way tie spans three countries, Poland, Canada, and the US Pretty damned amazing if you ask me But let s back up- just what is this BSides thing anyway There is still some confusion, and a little misinformation floating around It started when a handful of people had some ideas, which coalesced and merged the different thoughts into an event in July of 2009, parallel with Black Hat USA and before DEF CON The semi-official history is on the Security BSides wiki The original idea was to offer a B-side to the A-side events For those unfamiliar with the term, back in Ye Olden Days we listened to music on spinning bits of plastic called records on singles there was usually a mass-market appeal at least the artists and producers hoped so song on the A-side, and the B-side was generally more experimental, or more artistic instead of pop-centric When such things made it to the radio A-sides were on generally AM and B-sides were often on that fancy FM That s what we imagined for BSides, a place for more experimental, niche-audience content, plus some things with wider appealhttp wwwdickestelcom images littlerichard45jpg To save you Googling it, Baby Face was the A-side to this Little Richard B-side, I ll never let you go The first event was held in a rented house in west Las Vegas, a lot of folks came together and made it happen I won t try listing names, there are too many to list- besides, everyone who showed up helped make it happen in some way We had about 200 people through the house in the two day event, and it was a great success People wanted more, so several of us began discussing next steps There was demand for a BSides parallel with RSA in San Francisco, and the San Francisco-based BSides crew started working to make that happen Before the event in San Francisco, some people wanted to have an event by the Bay in Mountain View, but there was no A-side event General consensus was that BSides events didn t need an A-side to be successful, or to be useful to the community- so BSides Bay happened in December of 2009 That s right, the second-ever BSides didn t have an A-side In fact, most Security BSides events haven t had an A-side event By my count, only 27 of the 91 BSides events held thus far have been adjacent to, or parallel with, another event- and it is becoming less common Only 8 out of the 41 BSides this year have an adjacent event The standalone events often provide underserved communities with a security hacker event where none would otherwise happen, and that is a huge part of the value the BSides community brings to the greater security and hacker community BSides do not require an A-Side, and over two-thirds of Security BSides have been standalone events BSides offer a B-Side to the mainstream Many of those 27 were done in cooperation with the adjacent event, sometimes even co-branding and cross-promoting to increase value to all attendees and participants Sure, some tensions are happen, but the two big overlapping event pairs RSA US BSides San Francisco and Black Hat BSides Las Vegas now have open communications and cooperation between the events Also, some proposed BSides events never happen the BSides community sometimes discourages ones which might fragment or stress adjacent community-driven events Note that there has never been a BSides around Shmoocon, for example BSides strive to work with and respect adjacent events There is a lot more to tell, but that s enough for this post I ll follow up with more on BSides in coming posts- until then, check the front page of the BSides wiki for all of the upcoming events around the world Oh, and pencil in Tuesday and Wednesday, August 5-6 2014 for Security BSides Las Vegas That s right, we re changing the days of BSidesLV to reduce overlap with both Black Hat USA and DEF CON- many people in the community have responsibilities which span two or all three of the events of that week, and this move makes it easier to meet those responsibilities Or maybe just give people time sneak over to Frankie s or Double Down to unwind a bit between duties Jack http://www.secuobs.com/revue/news/468202.shtmlhttp://www.secuobs.com/revue/news/468202.shtml Secuobs.com : 2013-07-23 19:15:32 - Uncommon Sense Security - Next week is Hacker Summer Camp , also known as BSides Las Vegas, Black Hat, and DEF CON week As you might expect, I ll be at BSides most of next week, then heading over to DEF CON when we finish hiding all the bodies cleaning up and packing out We have a killer lineup for BSidesLV as always, and Irongeek will be recording the sessions so you can catch up if you won t be joining us or miss one you want to see I ll be giving a talk in the Common Ground track, a decidedly non-InfoSec talk The Erudite Inebriate s Guide to Life, Liberty, and the Purſuit of Happineſs An exploration of bitters, classic cocktails and other stuff That will be on Wednesday at 16 30 in the Tuscany room I ll also be joining the all-star lineup of Davi Ottenheimer, Raymond Umerley, Steve Werby, David Mortman and George V Hulme on Thursday at 12 30 in Florence G for a panel discussion on breach notifications, ethics, and law I ll once again be participating in DEF CON Hacker Pyramid and beard competitions, and of course providing logistical support for the FAIL Panel But no pink camisoles this year Well, probably not Possibly something worse, though And finally, for a little entertainment, follow the adventures of video guy Steve and I as we drive from Cape Cod to Las Vegas and back Face it, you ll just be pretending to work until next week, either in prep for the trip, or out of bitterness because you can t go So follow the adventures on Twitter at HackerRoad as we wander the countryside cursing the latest update to Google Maps for Android, stop at distilleries, and spread cheer wherever we go Or something like that Maps, photos, video, etc will be posted to or linked from that Twitter feed Yes, that s the old Shmoobus account, rebranded for a more wide-ranging set of adventures The road trip is made possible by my awesome employers at Tenable Network Security, who are too smart to directly sponsor something this silly, but are kind enough to indulge me taking time for such madness Jack http://www.secuobs.com/revue/news/458630.shtmlhttp://www.secuobs.com/revue/news/458630.shtml Secuobs.com : 2013-07-18 14:24:10 - Uncommon Sense Security - Listen up people, I enjoy a pointless socio-political sequential rant on Twitter as much as most folks I say sequential rant instead of debate, because real debate rarely happens on Twitter - but seriously, almost the entire InfoSec world is missing the lessons of Manning, Snowden, et al which are relevant to our goals of securing info Also, I see way too many people who should know better falling into media, troll, and pundit hard to tell the difference sometimes, probably because there isn t always a difference trap of narrowing choices Let s start with the choice flaw if you are given an either or choice and fall for it, you ve let the punditroll define the terms of the conversation, and you ve lost or at least truth has lost, but what the hell, The Truth is sadly accustomed to losing Is Snowden Manning US Grant George Washington a hero, traitor, or demon Yes and no to all of the above- it depends on your position and too many other factors Reject the either or fallacy, and don t participate in it Now, about the lessons- politics, justice, and all that stuff best decided on Twitter or Reddit or 4Chan needs to be set aside for a minute so we can look at the security challenge My first InfoSec reaction to both the Manning and Snowden breaches was WHY THE HELL DID HE HAVE ACCESS TO ALL OF THAT A few hundred thousand diplomatic cables and other sensitive info freely available at a forward military base- all of which could be accessed and copied by enlisted personnel without supervision- and without setting off any detections Treasure troves of Top Secret documents available to a junior contract employee of an intelligence contractor Epic failures of fundamental information protection The US Department of Defense knows better, but they failed miserably To their credit, they re trying to fix those access problems, but that is not an easy task, and I fear that those beating the Drums of Cyberwar will distract the DoD from getting the basics under control And what about Boozed-Allen-give-us-the-Hamiltons We literally we, US taxpayers pay them a lot of money to screw up As I have said many times before, never outsource your core competencies, especially failure I understand that this is not a simple challenge, but if you can t answer Who has access to what, under what conditions, and with what monitoring and safeguards you have a problem Probably more than one And no, I do not expect you to be able to answer that about everything you need to protect But maybe, just maybe, the stuff that can embroil multiple nations and in political and diplomatic turmoil if leaked- that stuff, you should put a little thought into protecting it Maybe you don t protect or fail to protect anything that sensitive, but you probably help protect things which if lost would cause people including you to have A Really Bad Day Skip the next round of pundit listening or troll feeding and think about that Jack http://www.secuobs.com/revue/news/457724.shtmlhttp://www.secuobs.com/revue/news/457724.shtml Secuobs.com : 2013-07-01 18:27:20 - Uncommon Sense Security - I though it would calm down after RSA earlier this year, all the hype and nonsense about active defense and hacking back But is hasn t Sure, there have been ebbs and flows, but the nonsense continues I guess it s my turn to add to it If you have had your first serious discussions about active defense and or hacking back in the past year or so you are either new to the business, or are negligent Period If you make the claim that active defense is only a euphemism for hacking back , you are either hyping an agenda, or selling a probably outdated security model Or perhaps you ve just been misled by the previously mentioned shysters By my count that s three flavors of wrong, although one may be slightly less bitter Let s start with active defense It is not a new idea, and it doesn t necessarily mean hacking back It may encompass counterattacks, but there are a lot of active defenses far short of attack Call it what you want, active defense, or offensive countermeasures as John Strand and Paul Asadoorian have called it , or devious defense, or maybe just not lying there and taking it passively If an action causes you or a system to take a corrective or defensive action- that is active Try too many bad passwords- we ll lock the account That s active if somewhat lethargic and very old IPS IDS triggering scripts to block traffic Those are not new, and are not passive Although, as Chris Hoff posits in a recent post, most inline defenses are deployed in passive mode In Ye Olden Days we could even take the active defense of contacting an ISP and asking them to block someone yes, kiddies, once upon a time this actually worked, albeit sporadically How about tools like Ben Jackson s cool WebLabyrinth- that s certainly active Sure, you can cross over to things like setting traps which report back to you when files are taken, or hiding malware in tempting looking docs- but those are one end of a long scale, and still fall short of directly attacking your attackers And about that attacking your attackers thing- if you have ever defended a network under attack and not done a little thought exercise about buying some temporary relief via counterstrike well, your heart is more pure than mine and many others I know Also, if you believe that digital counterstrikes haven t been an off-menu offering for some boutique and probably not-so-boutique consultancies for quite a while let s just say you can stop waiting for the Easter Bunny Oh, and the but, but, attribution , blaming victims , and attacking innocent bystanders stuff Yeah, no I m so sick of this nonsense I m going into dangerous territory and using an inappropriate and incendiary metaphor You ve been warned If you you fail to secure your firearms and someone steals them, then uses them in the commission of a crime I told you it was going to be bad Backing away from extreme hyperbole now- my point is that if you can identify a source or relay point in an attack, you have likely identified a negligent party who is probably also a victim, but I m not giving them a blanket grant of innocence This does not necessarily mean I support attacking them, but let s be honest about their unwitting complicity in Crimes Against the Internet To me, this changes the nature of what might be an acceptable counterattack from rm rf to shutdown h now Yes, yes- it isn t illegal to be negligent on the Internet, but the laws are so far behind the technology that they are largely irrelevant until YOU get caught up in them A few months ago Dan Geer took a pro- offensive defense position on the Risky Business podcast episode 273 It is worth a listen, and I largely agree I m not suggesting you start attacking things unless and until the laws change and your organization has serious and candid conversations on the ramifications of your actions- it is not a course of action for the unskilled or faint of heart For most, I think effort would be better spent improving defense and response instead of engaging in digital combat, but for some I believe it could be a viable option For some, it has been and will remain a viable option debate ethics, legality, and liability all you want, that doesn t change the fact that it has happened and will continue to happen Now can we please have some adult conversations about these topics, and stop the faux-naivety and real hype Oh, wait, InfoSec Right, nevermind Jack http://www.secuobs.com/revue/news/454780.shtmlhttp://www.secuobs.com/revue/news/454780.shtml Secuobs.com : 2013-06-10 17:34:59 - Uncommon Sense Security - Yesterday I put up a quick little post pondering the significance of the categorization of software as arms , and the possible implications for Second Amendment protection of cyber arms Last night, Jack Whitsitt sintixerr on Twitter published a more comprehensive post on the topic, one he's been working on for a few weeks- check it out, it is a well thought out piece http sintixerrwordpresscom 2013 06 09 your-right-online-cyber-security-and-the-second-amendment Jack http://www.secuobs.com/revue/news/450503.shtmlhttp://www.secuobs.com/revue/news/450503.shtml Secuobs.com : 2013-06-10 00:09:25 - Uncommon Sense Security - It started as a flippant Sunday-morning-at-the-coffee-shop tweet while I was awaiting caffeinated goodness- I tweeted The Second Amendment should apply to cyber arms, for the same reasons it protects guns But as I reflect on it, I realize that this raises interesting questions even if they are just thought exercises- for now Amendment II states A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed 487px-Bill_of_Rightscrop By the way- if you ever doubted the significance of commas, this Amendment should remove all doubt- even as we argue their meaning in this case I have no desire to get into the gun control debates- but the Second doesn t mention guns, it says Arms Note that Arms is not specifically defined, allowing for currently accepted definitions to be applied- even if to the best of my knowledge it has only applied to firearms up to this point in time The interpretation of the Second Amendment is certainly not alone in its need for clarification or interpretation in light of the changing state of weaponization of software- the Computer Fraud and Abuse Act CFAA is more desperately in need of overhaul It seems to me, as a non-lawyer and barstool constitutionalist, that the US government's restrictions on exports of crypto and other security technologies, combined with the recent news that Six US Air Force cyber capabilities designated weapons ' makes this a legitimate issue As with any tool or weapon, actual usage and intent will determine legality- but this could be an angle to combat those who wish to outlaw hacking tools The issue of what constitutes a hacking tool has always been tricky, especially since a web browser and a telnet client are sufficient to compromise hundreds of thousands of systems on the Internet I m sure a strong case can be made against some crimeware kits as hacking tools- but few tools are purely evil see Back Orifice for example, arguably a better admin tool in its day than what was commercially available Again I present you with more questions than answers, but now you have something to ponder while the Snowden NSA story unfolds and refolds, and unfolds into a Möbius strip or whatever it is now Jack http://www.secuobs.com/revue/news/450325.shtmlhttp://www.secuobs.com/revue/news/450325.shtml Secuobs.com : 2013-05-29 16:59:24 - Uncommon Sense Security - My wife and I have three vehicles two are red, two have manual transmissions, and two are diesels What is statistically significant about this Stumped OK, more data none of the vehicles has all three of the characteristics listed above Now it is obvious, isn t it That s right, the statistical significance of this is ABSOLUTELY FRIGGEN NOTHING Just because you can measure something doesn t mean you should- and even if measurement makes sense, just piling numbers up doesn t make the resultant mess informative or useful Please, think before you math Why yes, I have been reading so-called InfoSec reports and studies again, why do you ask Jack http://www.secuobs.com/revue/news/448330.shtmlhttp://www.secuobs.com/revue/news/448330.shtml Secuobs.com : 2013-05-02 14:17:03 - Uncommon Sense Security - You know stuff, you ve seen interesting things, done interesting research, have a unique perspective You also know that the ability to communicate effectively deliver your message to an audience is critical to professional success But you haven t spoken at a major event, and you need some advice and encouragement Maybe you are intimidated by public speaking- that s very common there s even a word for this common fear, glossophobia Well, we re here for you By we , I mean the BSides community in general, and in this case BSides Las Vegas in particular BSides events have always encouraged new speakers, and some events have offered or are offering guidance, up to and including mentorship and coaching This year we are continuing the Proving Ground track at BSides Las Vegas, a program which pairs those new to speaking, or at least new to speaking at a national event, with experienced speakers who will mentor, guide, and encourage you through developing, tuning, and presenting your talk at BSides Las Vegas From the BSidesLVorg website One of our tracks is Proving Ground and the main criteria to get a slot in this track will be being a first time conference speaker As we all know how hard it can be to find your voice, or even to just translate data into talking points that won t lose your audience, we re looking to pair each of the Proving Ground applicants up with a mid to high profile mentor, with a solid track record of public speaking, who will work with them from CFP to podium If this program sounds like something you d be interested in, please review the BSLV Mentorship Program Information I sometimes use this image in how to give better presentations talks, because I think it shows what is wrong with talks at a lot of conferences- the focus is on the speaker, not on the audience where it belongs In the Proving Ground track our mentors put the focus on you, the new speaker- this gives you the support you need to focus on your message, and your audience Fotolia_37704437_XS Time is running out to submit for this opportunity, please review the information on the website, and submit if you can join us for BSides Las Vegas What if you are a more experienced speaker, but know you can do better Would a workshop with other speakers, sharing ideas and constructive criticism interest you Well then- let me know, and stay tuned And watch James Arlen s talk on the topic if you get the chance whenever he s giving it again Jack http://www.secuobs.com/revue/news/443129.shtmlhttp://www.secuobs.com/revue/news/443129.shtml Secuobs.com : 2013-05-01 19:26:15 - Uncommon Sense Security - I had a great time in London last week, I finally got to BSides London, had a good show at InfoSecurity Europe, and talked to partners and customers- and I got to co-host the second annual we can call it that after only two, right Security Bloggers Meetup and first European Security Bloggers awards The blogger gathering was great, I got to meet and catch up with a lot of folks I don t often see, and there were a lot of great conversations throughout the evening About those awards- the winners were The Best Corporate Security Blog Sophos Naked Security Blog Best Security Podcast Eurotrash Security Podcast Best Security Video Blog InfoSec Cynic Best Personal Security Blog Thom Langford Most Entertaining Blog InfoSec Cynic Most Educational Blog Brian Honan s Security Watch Best New Security Blog Dave Waterson on Security Best EU Security Twitterer, Tweeter, whatever rik_ferguson Grand Prix Prize for the Best Overall Security Blog Sophos Naked Security Blog Congrats to all the winners Big thanks again to Brian Honan for the heavy lifting in organizing the event and awards, to my coworkers and employer, Tenable Network Security, for sponsoring and arranging the food, drink, and venue, and to Qualys for sponsoring the awards We ve already started planning for next year- the venue was great, so Tenable has again reserved the Prince of Teck pub for the evening of Tuesday, 29th of April 2014 for the next European Security Bloggers Meetup and Awards Jack http://www.secuobs.com/revue/news/442955.shtmlhttp://www.secuobs.com/revue/news/442955.shtml Secuobs.com : 2013-04-13 02:38:37 - Uncommon Sense Security - The European Security Bloggers Meetup is getting closer, and the nominations are in for the first European Security Blogger Awards Voting is now open at https wwwsurveymonkeycom s EUSecurityBloggerAwards The rules are simple Only one vote per person How many votes per person One We reserve the right to validate any of the votes by using the contact details given Judges' decision is final The purpose of the awards is to provide a fun platform to recognise those who share with the community Please respect the spirit of the awards The Meetup will be on Tuesday the 23rd of April at the Prince of Teck Pub, from 18 00 The Prince of Teck is near Earl s Court, the site of InfoSecurity Europe If you would like to join us, please register here at Eventbrite This wouldn t be possible without the efforts of Brian Honan, so if you join us make sure to thank him when you see him The European Information Security Bloggers Meetup is sponsored by the nice folks I work for, Tenable Network Security And- I m happy to announce that awards will be sponsored by the good folks at Qualys Jack http://www.secuobs.com/revue/news/439266.shtmlhttp://www.secuobs.com/revue/news/439266.shtml Secuobs.com : 2013-04-04 05:25:27 - Uncommon Sense Security - It has been a while since I ve written about Digital Natives , but Krypt3ia s recent post Digital Natives, Digital Immigrants, Exo-Nationals and The Digital Lord of The Flies has me thinking about it again He raises some great points in that post, and I would like to add a few thoughts of my own If you haven t seen it already, take a few minutes to read Krypt3ia s post, and I ll meet you back here I think about the generational issues in technology and security, and only partly because I m old Generational anomalies have intrigued me since I was a kid Back then I had a realization about my peers, I believe there were effectively two generations of the same age- those of use who were late babies of folks who went through World War II, and those who were the children of younger parents Those of us whose parents fought the war mom flew in the WASP, dad served in the Navy seemed to straddle the generation between our older siblings the real Baby Boomers and our peers If you know folks born in the late 50s or early 60s float this idea past them and see what they say Enough tangent, back on topic Jack Caution metaphor and analogy abuse ahead, with some stereotyping thrown in for added color And I sound like an old fart Which I am First, those who have grown up with computer technology, the Digital Natives, have a level of familiarity and comfort with technology which is often mistaken for expertise- but for many the expertise is superficial at best Those of us who work in technology, especially in security, are often amazed by the brilliant young people around us- but we forget they are anomalies, not the norm The ability to grok the latest changes to Facebook does not equate to an understanding of web technology as much as it displays a level of comfort and familiarity That familiarity can be a problem- familiarity removes fear, and a lack of fear leads to excessive trust This should be a critical concern for those involved in security and privacy The familiarity and comfort often translates into people with amazing proficiency in technology, and a level of effectiveness that is astounding- just don t forget to assess the security awareness of those young folks And about that effectiveness, it is not ubiquitous- let s talk about your local gas stations, convenience stores, budget hotels, and livery services Yeah, if we re going to use words like natives for people who have grown up with tech and immigrants for us old farts I am going there Dismissing immigrants is stupid, they we often fill niches in the economy that natives do not, for whatever reason The same is certainly true for technology It would be easy resort to ignorant claims about natives aversion to hard work- but that is certainly not true in tech, and the work on stress and burnout I ve been involved in proves that It is also true that many immigrants will never master the level of understanding of new technology that will be required to keep up in the rapidly changing world of technology, but it is also true that those who have survived the workplace for a few decades are more likely to be able to effectively deal with the harsh realities of working for a living after surviving it all these years OK then, what s your point Jack I m not sure I have one, other than a sweeping generalization warning against buying in to sweeping generalizations If I were a better person I would suggest more cooperation and communication between generations to help each other adapt to the challenges we face, but that s not my style And get off my lawn Jack http://www.secuobs.com/revue/news/437524.shtmlhttp://www.secuobs.com/revue/news/437524.shtml Secuobs.com : 2013-03-20 02:19:01 - Uncommon Sense Security - This year will be the second annual European Security Bloggers Meetup, and will include the first European Blogger Awards The meetup will be Tuesday evening, the 23rd of April, from 18 00-21 00, in Kensington London near the Earls Court conference center the site of InfoSecurity Europe BSides London is the following day, so it will be a busy week- join us for a relaxing and conversational evening before the madness gets overwhelming If you are a security blogger or podcaster, please sign up at the event s Eventbrite page to get all the details Also, if you are a European security blogger or podcaster, please participate in the blogger award survey, nominate your favorite blogs and podcast now And thanks to Tenable Network Security my employer , who has signed on as sponsor of this year s gathering Jack http://www.secuobs.com/revue/news/434668.shtmlhttp://www.secuobs.com/revue/news/434668.shtml Secuobs.com : 2013-03-17 16:45:53 - Uncommon Sense Security - As many know, I ve spent the last couple of years in the vulnerability management world- at least what we generally accept as vulnerability management Although I think what we do at my day job what a quaint concept, day job is stellar, there is a hole in vulnerability management- vulnerability management for applications from a code review and process management perspective Known and published application vulnerabilities are part of a mature vulnerability management programs, but what about the results of internal and external code review and testing- how do you manage disparate data sources on vulnerabilities in your organizations code How do you share that information, and get the right information to the right people- in the format they want How do you leverage the information as quickly and effectively as possible For many people, I assume a kludge of ticketing and bugtracking tools are used, probably with a few spreadsheets tossed into connect dots that the tools don t support threadfix Enter the good folks at Denim Group, they have created ThreadFix an Open Source application vulnerability management platform I had a chance to sit down with Dan and John from Denim at the recent RSA conference and take look at ThreadFix, I m impressed Application security is not a major part of my day to day work, but it is still an area I try to keep an eye on- and ThreadFix looks like a great project As I mentioned, it is Open Source, but it also has an establish application security company behind it- this means you can grab the code from Google code and run with it on your own, or you can turn to Denim for assistance and support if you need some corporate backing in your environment The features of ThreadFix from Denim s ThreadFix page include Simplified View of Application Test Results Consolidate and de-duplicate imported results from open source, commercial dynamic and static scanning tools, as well as the results of manual testing and threat modeling to get a complete view of the state of your applications Reports Get the latest security status of your applications while providing an eagle s-eye view of your organization s progress over time to pinpoint any process problems Defect Tracker Integration Help security professionals translate application vulnerabilities into software defects and push tasks to developers in the tools and systems they are already using Virtual Patching Create virtual Web Application Firewall WAF rules to help block malicious traffic while vulnerabilities are being resolved While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross-Site Scripting XSS and SQL Injections Compatible with Open Source and Commercial Products ThreadFix is compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS IPS and WAFs and defect trackers Version 11 of ThreadFix is available as a release candidate now, and should be available as a stable release very soon 11 adds support for additional scanners, including NTO Spider and IBM AppScan, and numerous other enhancements and, of course, bug fixes If application security is part of your world, take a look at ThreadFix Side note and conference tip if you want to talk with friends at an event like RSA, and know you ll be crazy busy- go ahead and schedule a meeting, even through their PR folks messages in your inbox If you don t, the week will disappear Just don t say I ll meet you in the lobby at events the size of RSA, several thousand other people have the same idea and you end up playing cell phone Marco Polo If I hadn t scheduled time with Dan and John I might have waved to them at a party, but couldn t have had a meaningful conversation Jack http://www.secuobs.com/revue/news/434125.shtmlhttp://www.secuobs.com/revue/news/434125.shtml Secuobs.com : 2013-03-15 15:34:38 - Uncommon Sense Security - We NEED radical change- the only way we can solve the challenges of securing systems and information is through radical change in the way we blah, blah, blah What we need, and what many people understand, is to allow reality to participate in our pronouncements Yes, the state of InfoSec is pretty sad, and many approaches to improving it have sprouted sects which are devolving into bad religions note that I didn t say metrics , risk , or pentesting , you thought of those on your own To be clear, my objection is not with these practices, it is with irrational and often myopic faith in them I ll tell you what we NEED, we need a cure for cancer Sadly, we aren t likely to cure cancer anytime soon, there are too many different diseases under that label, and too many causes to simply cure it What we are getting, however, is for many types of cancer improved treatment, with improved quality of life, and higher survivability I truly hope that within a few generations people will look back on chemotherapy as we look back on bloodletting today if that happens, I believe it will be through incremental gains Note do not naively dismiss the occasional value of bloodletting, for some maladies it enforced bed rest when that was what was needed most For the record, I am not a doctor, and I don t even play one on Twitter- I am not suggesting a return to it as a mainstream medical treatment So, bloodletting occasionally helped people recover, when it didn t make them worse or kill them Sounds a bit like chemo, doesn t it As for InfoSec we re talking packets, not people Having added a bit of perspective, let s revisit what we need, and what we might get, in InfoSec man in yellow field It would be lovely, like a field of flowers in spring, to make radical changes to infrastructure, code, human behavior, etc We could all frolic through the greenfield networks, and rest easy with robust code handling our transactions I m sure we would make any mistakes in design or implementation this time Man suffering from pollen allergy Just watch out for hay fever in this dream world of yours I hate to rain on idealists parades OK, you got me, I love it , but while some people do get to implement rapid radical change, remember that some people also get to win huge lotteries If you are reading this blog, I ll assume that you, like me, are neither of the above Most InfoSec professionals, from the trenches to the executive level, are tied to environments with limited and infrequent opportunities for radical change We can make things a little better, with the goal of minimizing bad things and gradually improving overall Mature man manual worker in white hardhat near sewage treatment basin Or, if we are brutally honest, we may admit we re more like sewage plant engineers, and that stink less tomorrow is a laudable goal But some changes just aren t worth the effort With our environments continuously becoming more hostile and elaborate, doing nothing means losing ground BUT, change does not assure improvement, and change for the sake of change may make things worse At the risk of offending some friends in the business, spending weeks or months researching a new anti-virus solution, then spending the time and money to implement it may not be worth the effort and investment Some poorly thought out improvements will actually make your environment less robust, and a lack of familiarity with new systems can set back your ability to properly manage and secure your environment Change for the sake of change is crap I would suggest you instead spend that time on filling known holes in your visibility and awareness- such as log aggregation and analysis Disclaimer yes, I know- I work for a company which sells this kind of tech I have advocated this for years, it isn t about sales , or application whitelisting, or improved patching- something, anything, that can actually move you forward Unless you are one of the lottery winners who can make big things happen fast, focus on the incremental changes you can make today And keep a wish list handy for when you win the lottery Jack http://www.secuobs.com/revue/news/433796.shtmlhttp://www.secuobs.com/revue/news/433796.shtml Secuobs.com : 2013-03-05 20:23:20 - Uncommon Sense Security - As Dickens once said It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair I am, of course, talking about the week of madness in San Francisco which centers on, and swirls around, the RSA conference I don t know where to start, it was a wild week Security BSides San Francisco was a great event, a new lead organizer and team of new and veteran crew and volunteers put on a great event at a funky new venue, the DNA Lounge The event also moved to Sunday and Monday from the Mon Tues it has been the past two years A couple of things could have gone more smoothly, but it was an outstanding event, in spite of some challenges A wide variety of great content and peripheral events, and an unusual but effective venue made this event a success It is hard to believe that three years ago was the first BSidesSF, which was only the third BSides event BSidesSF 2013 was the 67th BSides event globally if my count is correct , and we ve yet to hit the four-year anniversary of the first one There are a lot of BSides events coming up, check the BSides wiki for all the details The RSA Conference itself was even more RSA Conference than usual, record attendance I heard numbers like 24,000 people, but that s unconfirmed , and record highs and lows The expo floor was largely disgusting, the level of hype and chicanery was arguably worse than ever a record not to be savored This year brought a couple of revelations about the expo floor, primarily this Fotolia_27387829_XSeditThe worst of the expo floor largely offers InfoSec Homeopathy , but without the advantages of any potential placebo effect- it simply diverts us from appropriate cures I would love to get a documentary mockumentary crew to follow a few folks who ve played this game for many years as they wander the aisles calling out the age of the new technologies , the acquired tech left to languish under the mismanagement of big firms, and the absolute snake oil In this fantasy, Gene Spafford, Marcus Ranum, and Robert Graham are your tour guides through the show floor I m too fond of these folks to actually ask them to do it, however In between the hype and hyperbole, there are always companies at the expo for the right reasons, to engage customers and prospects in rational conversations about their products and services- you just have to look past the booth babes, cars, and screaming barkers Speaking of booth babes , this year brought a worsening of the booth babe phenomenon I hate to even mention their name for fear that PT Barnum was right, but ForeScout s Catholic Schoolgirl attired booth women represented a new low Based on comments from friends, it may be that no one is going to buy their product MisogynyShirtbased on its merits, but that is no excuse Sadly, they weren t alone in the booth misogyny department Speaking of misogyny, I did get to wear the latest in Misogyny Networks fashions a couple of times during the week Note that we do not have to put up with this, InfoSecurity Europe has updated their terms and conditions to prohibit booth babes I applaud InfoSecurity Europe, and hope others follow their lead But it was not all bad, the crowds meant good traffic through the corporate overlords booth, and we had many good conversations about what we do and the way we see the landscape Many others in the industry who were at RSAC to conduct business seemed to have a productive event as well Unfortunately, the high booth traffic meant I didn t get to see the talks I wanted to see, and there were several that looked good and had good reviews But for me RSAC is about the business, so that s where I focused It s worth mentioning that many attendees never visit the Expo floor, and many attendees never see a talk, and many seem to only be interested in the parties You need to find an approach to RSAC that serves your needs- if you don t, you ll probably be mired in misery and frustration Speaking of parties, I avoided most of them this year and focused on a few smaller events where I could connect and reconnect with people I did attend the Security Bloggers Meetup, it is a can t-miss event for me where I can see folks in person I normally only see online This year s awards were great, with one notable exception the judges voted me into the SBN Hall of Fame over better and more deserving nominees I am grateful and flattered by the award, I just think many others have contributed more the security blogging community Also winning this year was the Pauldotcom podcast, which has won four out of the five years the awards have been given Since Paul and Larry launched the podcast many years ago, it has grown and evolved- the current crew of Paul, Larry, Mike, Allison, Patrick, and the audio and video team is a pleasure and occasional terror to work with and I m honored to have been a part of it for the past couple of years Now, back to work Jack http://www.secuobs.com/revue/news/431564.shtmlhttp://www.secuobs.com/revue/news/431564.shtml Secuobs.com : 2013-02-19 17:11:09 - Uncommon Sense Security - I have just left one of my favorite gatherings of the year, Shmoocon, and I m now at the Microsoft MVP Summit While they are very different events, and the total attendance overlap is probably fewer than five of us, there is a common thread I m spending time with people who have found something which interests them, and are exploring and sharing what moves them different seashells on a beach sand, marine landscape It is easy to dismiss the things we don t care about personally, or ask how could anyone get excited about whatever , but I think encouraging curiosity, exploration, and especially sharing what you know- these things are critically important, personally and professionally Even if others don t agree, or you think you are just amusing yourself Some centuries ago a man looked back at his life s work and said I do not know what I may appear to the world, but to myself I seem to have been only like a boy playing on the sea-shore, and diverting myself in now and then finding a smoother pebble or a prettier shell than ordinary, whilst the great ocean of truth lay all undiscovered before me Granted, some folks find pebbles which are more universally interesting, and shells which lead to advances for the greater good, but I think that quote should encourage you to find your pebbles to study and share It seems to have worked for Isaac Newton Jack http://www.secuobs.com/revue/news/428565.shtmlhttp://www.secuobs.com/revue/news/428565.shtml Secuobs.com : 2013-02-18 12:32:38 - Uncommon Sense Security - It is almost time for the RSA Conference, where those in attendance and via the media, those not in attendance will be bombarded with hype and hyperbole, on topics old, less old, contrary to popular belief, even new The part of RSA which frustrates and demoralizes most attendees is the expo floor Some people avoid it entirely, which I can appreciate- but for those of us in the industry, we have to be on the floor, working for our companies, and checking out the state of the industry Others see it as a way to check out products and services, and talk directly to the vendors Whatever brings you to the expo floor, remember that it is a sales and lead generation event which explains, poorly, the booth babes , fast cars, and other nonsense When talking to vendors, my standard advice applies watch out for absolutes If anyone is claiming to have the answer to an InfoSec challenge, run away If someone claims to have an answer , you may want to listen if it interests you but always keep the BS shields up, and keep an eye on the exit path If you find someone who offers something shrouded in what are often derisively called weasel words , pay close attention These tend to fall into two categories Those overstating their product s or service s performance, who use weasel words to provide an escape clause for their exaggerations and those who know the world is complex and who are unwilling to promise the impossible, but believe in what they do In the former case, those not-quite-absolute words are indeed weasel words in the latter, they are honesty Sadly, the former far outweighs the latter It may not be a compelling statement, but if someone tells you I think we may be able to help you solve part of your challenge , pay attention Maybe they re offering crap, but more likely they are being brutally honest about the challenges of InfoSec, and have probably been in the trenches themselves and didn t appreciate vendor tall tales Note this advice primarily applies to face-to-face conversations Banners and marketing materials have to grab your attention admit it, you aren t going to respond if they don t grab you And yes, as implied above, I ll be at RSA, Tuesday-Thursday, mostly in the Tenable booth it seems like the least I can do for them, considering the regular paychecks they send me I ll also be around BSides San Francisco on Sunday and Monday Stop by and say hello, I m pretty easy to spot Jack http://www.secuobs.com/revue/news/428319.shtmlhttp://www.secuobs.com/revue/news/428319.shtml Secuobs.com : 2013-02-02 20:20:05 - Uncommon Sense Security - I was recently having a conversation with a friend who was telling me a story from a conference a few years ago My friend had an unpleasant interaction with an unpleasant person, and in the telling said something like I was talking to this guy, really common first name something, a real tool to which I said, oh, yeah, HIM and the story continued- as another friend joined us and when caught up on the story he knew exactly who we meant and had his own stories about really common first name Keep in mind that none of us had uttered a last name, although by now one corporate affiliation had been mentioned to confirm that we were indeed all talking about the same really common first name , who we all agreed was a real tool The active part of the InfoSec community really isn t that big, and bad reputations tend to stick There are a lot of brilliant people in our industry, and more than a few successful by a variety of definitions people there are also a fair number of out-of-proportion egos Don t be like really common first name , a little humility and common decency are probably all that are needed to keep you in good standing Perhaps we could all use reminding of the classic Midwestern parents admonition don t think you re special, because you re not , or maybe the modern equivalent, yes honey, you are special- just like everyone else Jack http://www.secuobs.com/revue/news/425455.shtmlhttp://www.secuobs.com/revue/news/425455.shtml Secuobs.com : 2013-01-16 05:03:36 - Uncommon Sense Security - You ve heard about The Phoenix Project, right This great new book by Gene Kim, Kevin Behr, and George Spafford has received a lot of praise- and deservedly so The book is described as A novel about IT, DevOps, and helping your business win PPhardcover2 That s right, a novel I was a bit skeptical at first, but it works it provides practical context for the issues raised Some of the problems seem a bit contrived, especially in some of the combinations presented- until you think back on the stunningly dysfunctional places you ve seen, then it becomes all too believable The book explores many common IT issues and extrapolates the consequences across the enterprise- and it also explores the many factors which limit IT s success, both internal to IT and from the rest of the organization I will admit that the ending left me a little disappointed, heroes need to die in the end, or at least ride off into the sunset leaving others behind crying- but this is a business and technology novel, not a western, so I guess I ll have to forgive them for allowing our hero to both make substantial progress, and survive But if there s a sequel, well, there just had better be fewer survivors There is one character who is at risk of not surviving, he suffers from serious burnout- and I want to thank the authors for integrating this very real fact of life into the book yeah, I know- I owe you an update on that project It is a reminder that people are a critical part of technology So you already know all about modern business, DevOps, and making technology work for the organization instead of the other way around You ll still get something out of the book, but you may find the book most valuable as a gift to those who you struggle to make understand these issues this book makes our rants understandable and approachable I will admit that I entertained the idea of asking for an ultra-hard cover version so that I could use it for percussive persuasion on some folks I ve dealt with, but Gene didn t seem to think that was appropriate He also seemed to think that delivering the book laminated to a clue-by-four was inappropriate- but Gene is a much nicer person than I and he probably has lawyers and stuff to advise against such things The Phoenix Project is available in hardcover but not ultra-hardcover and Kindle versions If you want to hear from Gene Kim himself about this and whatever else is on his mind, he will be joining us on this week s Pauldotcom podcast Jack http://www.secuobs.com/revue/news/421989.shtmlhttp://www.secuobs.com/revue/news/421989.shtml Secuobs.com : 2013-01-11 20:38:58 - Uncommon Sense Security - are not experts We have just had another round of Internet Explorer and Java bugs announced in the past weeks, followed by another rounds of so-called experts telling everyone to stop using IE and Java This is pointless, and counterproductive, and an indication that these experts probably have no practical experience in a business environment I doubt that anyone who pays attention to security advice is running Java, IE 6 7 8, et al because they want to- we run these things because we have to, and the decision is out of our control Anyone who doesn t understand this doesn t understand enough to give advice Yes, there are a lot of people running old, vulnerable crap they don t need They aren t listening to the InfoSec echo chamber, so don t bother trying to reach them there here It s like the folks who dumped Adobe Reader in favor of Foxit for security reasons- now scrambling to patch the latest critical vulnerability in Foxit I dumped Adobe Reader in favor of Foxit because I find it faster and lighter, and because of a general loathing of Adobe I do have to update it less frequently, but I believe that is largely due to the reduced market share relating to reduced value to attackers- much like OS X has never been secure , but historically it hasn t been as targeted as Windows I see two central problems feeding this issue dump X is a compelling headline, reality isn t and the ever-present quest for simple solutions to complex problems Here s my advice, which you probably already know Dump anything you don t use Dump anything with a proven track record of failure which you don t need for example, if you don t need Java, uninstall it That s the easy bit, the rest requires thought and effort If you need Java for desktop apps, but don t need Java in your browser- disable the browser plugins If you have to support vulnerable browsers or other apps- restrict their access to only the resources which require them and use other apps or browsers for normal use Or have limited use systems if you can get away with it These introduce pain of their own, but can be done Configuring proxy settings in the browsers or possibly mis-configuring may be a relatively easy way to control browsers depending on the situation or it may completely break networking for the systems And all the other stuff you already know Reduce use of admin-level permissions wherever possible, especially domain admin, and especially where you know you are supporting insecure systems Improve authentication- this may mean using all eight characters the crappy app allows, or maybe you can move to two-factor, or something in-between Crank up the logging Crank it up to eleven on the likely targets, and then here s the tricky part actually look at those logs And finally, my comment to those who propose naïve and stupid things like this Shut up Just shut up If this were easy, even you could do it Jack http://www.secuobs.com/revue/news/421291.shtmlhttp://www.secuobs.com/revue/news/421291.shtml Secuobs.com : 2013-01-11 13:21:05 - Uncommon Sense Security - Everyone seems to be spewing drivel writing spewing drivel about the Microsoft Surface RT again lately, so I think I ll join the party Yes, I bought a Microsoft Surface RT, and have been using it for a couple of months The very short, insulting intro actually read the specs on this thing before you buy, it probably isn t for you, so don t complain because you spent your hard-earned or so you claim money naively Moving on First, the cool stuff everyone has covered It has a real USB 20 port, and while many things don t work, the stuff you need probably does In my case that means keyboards, mice, and especially presentation remote clicky things Oh, and all of your USB storage devices, reducing the pain of limited on-board storage The MicroSD card slot further reduces the storage issue by providing a fast and simple way to expand capacity This is especially important because much of the onboard storage is taken up with the OS, apps, and recovery partitions images By the way, they recovery reimage options are simple and useful My 32Gb unit had 15GB available, but I read the specs before buying, so I wasn t surprised Did I mention you should read the specs It is a real Windows machine almost It has a command prompt, PowerShell, and other stuff like a real computer The external keyboards connect via real connectors, not Bluetooth This is a huge deal if you don t or can t trust the area around you, or if you want to use your keyboard on an airplane or other wireless-comms restricted area OK, if you want to use the keyboard within the rules, I see plenty of folks using BT keyboards where they shouldn t Turn all the radios off, and the keyboard works- amazing I went for the better keyboard, with real keys, and it even has a touchpad- it is also wide enough to be usable I consider it a mandatory option Some folks have observed that the widescreen layout is great for video in native resolution- but few have mentioned how good it is for multitasking or using apps like PowerPoint where some editing panes open on the side Which brings us to applications Surface RT has three solid and unique for now apps in the tablet space if you believe Surface is actually a tablet Microsoft s Word, Excel, and PowerPoint 2013 That s it, if those move you, or at least are critical to you, this thing may be worth it It also has OneNote, which rocks, but is not unique in the space It is worth noting that if you need macros in your Office apps, RT will not do what you need What about the rest of the applications Pretty much horrible, poor selection of crappy apps The native mail client is pathetic and I haven t found a less-bad one, Twitter clients suck, the only browser is what can be called almost IE10 - which claims limited Flash support , and it appears limited to none And the browser puts the address bar at the bottom, and hides tabs from you, just to frustrate you- unless you jump out of Metro mode and to the desktop, where it flips to a normal read usable layout for IE10 Speaking of browsers, the vast majority of apps in the store are just websites pretending to be apps What else The hardware is an interesting mix of good, bad, and ugly USB, keyboard and connector, and MicroSD were mentioned above The cameras are decent, the screen is no Apple magical thing, but it is very nice And that really-wide-screen means the onscreen keyboard takes up half the screen in landscape mode, and let s just not talk about the uselessness of portrait made with this device One negative about the keyboards, they have floppy connectors, they are annoying at best if not on a solid surface The battery life is very good, and recharges reasonably well but the wall wart is a plug-blocking pig The kickstand is an amazing feat of engineering, it is AWLAYS at the wrong angle I have no idea how much research was required to engineer this, but I m impressed I am also very disappointed, because the beveled edge of my iPad Not Three the model between iPad Two and iPad Four makes me loathe holding the thing for any length of time, and makes it hard to park anywhere useful without external aids- I had hoped this would solve that problem It does help a little, but it is far from solved- and the Surface also has a beveled edge It is less painful to hold than an iPad, but less painful is not really what I wanted Also, that beveled edge means you have to get almost-but-not-quite standard looking video adapters from Microsoft if you want to connect to VGA or HDMI see, they are learning from Apple, just the wrong things So in other words, don t buy one Unless, like me, a lightweight, highly portable, long lasting MS Office tool is of great value to you- then get one if you can justify the expense, but know you ll probably still carry your Android or iThing for everything the Surface won t do For me, PowerPoint 2013 is a huge deal, and the extra wide screen means that the much improved presenter view in PPT 13 is fantastic That s my rationale, and it has proven valid and valuable repeatedly already- this is a fantastic presentation tool for me I carry the VGA adapter, presentation remote, and I m in business- with a machine I can really create and edit with if needed If Apple didn t hate me contrary to popular belief, I don t hate Apple, I just hate everything they make, which tells me they don t like me , I would probably be all over a MacBook Air for this need, but that s significantly more money than a Surface but is also more machine Jack http://www.secuobs.com/revue/news/421210.shtmlhttp://www.secuobs.com/revue/news/421210.shtml Secuobs.com : 2013-01-08 11:16:41 - Uncommon Sense Security - Time for another rant about employers and employment Not mine, I ve been very lucky lately have have worked for great companies, but I see a lot of things which make me crazy, and which cost companies good employees It is entirely possible that I ve made some of this blunders myself back in a past life First, a bit of background There are some InfoSec jobs in some market segments and geographic areas which effectively have zero unemployment, and the headhunters are circling like sharks to pick off those willing to change This means you have to treat your people well to keep the sharks hungry There are also title skills regions which are not in the insane demand cycle Sadly, many organizations can t or won t expand their horizons to grab some of the talented people who almost fit , but that s a whole other discussion which gets into education, relocation, telecommuting, etc Bottom line is that if you want to hire and retain the best, it takes effort Let s start with turmoil Turmoil happens, organizations grow, shrink, and merge Rumors start, and spread fast Employers need to calm employees and tell them the truth I know that many times secrets need to be kept, but either tell the truth or keep quiet- lying to employees temporarily is a short-sighted move If there are key employees you really need to keep productive, they need to know more than simply your job is safe , but that they are important to the bigger smaller merged organization and will be treated as such Honesty matters, in times of turmoil as mentioned above, but also at all times If you don t know something, admit that, if you can t tell an employee something, find a gentle way to explain that People don t like being lied to, and when we find out we ve been misled which almost always comes out eventually we are more likely to move on- and tell other prospective employees that the employer can t be trusted Pre-burning bridges is a really bad idea Finally, remember that we all talk to each other, word spreads, and if you want the best employees, a trail of disgruntled past and current employees will make it much harder to hire the right people, and it is already nearly impossible Jack http://www.secuobs.com/revue/news/420418.shtmlhttp://www.secuobs.com/revue/news/420418.shtml Secuobs.com : 2013-01-07 01:48:57 - Uncommon Sense Security - Winter has finally arrived here on Cape Cod although global warming has apparently altered the migratory patterns of the snow birds who should all be in Florida by now- but they are still here, driving very slowly along Route 6A, their little blue haired heads barely visible behind the wheel But I digress IMAG0042 As we were shoveling the driveway and deck, it occurred to me that snow removal is a lot like the tedious bits of InfoSec It is always reactive, and we have to do it or things get worse- but we re always in clean-up mode, never preventative mode except possibly for the aforementioned global warming That s it I told you it was pointless Jack http://www.secuobs.com/revue/news/420136.shtmlhttp://www.secuobs.com/revue/news/420136.shtml Secuobs.com : 2013-01-01 18:25:24 - Uncommon Sense Security - January first, and I got my annual pay up for the privilege of being able to put potentially embarrassing letters after your name note from the ISC 2, also known as my annual member statement and invoice for AMFs annual maintenance fees I consider many certifications, especially the CISSP, to be an InfoSec career tax you have to pay it if you want to participate in many parts of the field, especially to get past hiring issues where blind adherence to checklists prevents rational hiring decisions see US DoD 8570 for one example of this mentality Some folks may have noticed that I m not very fond of the ISC 2, or its alleged ethics process, or elections process, or stale content If you want some back story on this, I ll refer you to these posts by Robert Graham and the Security Curmudgeon over at Attrition I won t add any details of my own, and everything here should be understood as just my opinion because I m terrified that ISC 2 will sick the legal terriers, or worse, on me- and I can t afford all the new socks that would be required after that much ankle-biting I think that the ISC 2 ethics problem is simply that their goal is to protect ISC 2, not to protect the value of the certifications, and certainly not to protect the InfoSec community or our customers and clients In other words, what I and many others see as a problem is in fact their desired outcome I believe that ISC 2 hides behind disqualification of complaints, and secrecy, to shield itself from having to take action or provide full accountability Here s my fantasy for the ethics process transparency My real fantasy is the dissolution of ISC 2 and abandonment of all of its certifications, but that one seems even more unlikely than this one, so let s move on I understand one rationale for secrecy around ethics complaints, protection for the falsely or erroneously accused I reject that- ethics challenges can and should be published and the results of investigations should be made public False or erroneous charges would be publicly addressed, and the air cleared Ethics complaints which are rejected for a failure of the complainant to meet the requirements of procedure or standing should be published, with reasons for rejection- if the standards or grounds for standing to bring complaint seem onerous, it will be visible, and can be addressed through the Board of Directors or other means I have not had faith in some of the people entrusted to review ethics complaints, and opening the process to scrutiny would help to either assure us that all participants are acting in good faith- or expose them so that action could be taken to address concerns I am sick of ISC 2 hiding behind policy and being able to weasel out of admitting that complaints have been filed by hiding behind intentionally restrictive policies- apparently if a complaint isn t accepted, it isn t a complaint , according to the ISC 2- and if someone says a complaint was filed ISC 2 can reject that assertion because the complaint wasn t accepted In my opinion that s unethical and dishonest By the way, when I say published, I mean publicly, not behind an ISC 2 login, the aggrieved parties are not always members More importantly, since the CISSP is used as a de facto public standard it should have transparency Jack http://www.secuobs.com/revue/news/419355.shtmlhttp://www.secuobs.com/revue/news/419355.shtml Secuobs.com : 2012-12-30 23:46:49 - Uncommon Sense Security - http wwwdsdgovau images coa_logo2png I ve referenced the Australian Defence Signals Directorate s Cloud Computing Security Considerations document in the past, but they have a lot of other resources available Many of the references are wonderfully light on government-speak and bloat, and are downright informative and readable amazing, I know Their Strategies to Mitigate Targeted Cyber Intrusions lists the top 35 mitigations for intrusions, and is a solid list- including not only efficacy ratings, but user resistance, and upfront and ongoing costs They call out application whitelisting as the number one mitigation, and consider it mandatory Their website has a lot of good info, I find the Information security advice and Information security references sections to be the most informative Yes, they spell defence funny, but then they probably think Americans spell defense funny, too Jack http://www.secuobs.com/revue/news/419174.shtmlhttp://www.secuobs.com/revue/news/419174.shtml Secuobs.com : 2012-09-16 22:42:56 - Uncommon Sense Security - If you hold a CISSP or other certification from ISC 2, please read this If not, you ll probably want to skip it, unless you are having difficulty sleeping I keep trying to ignore it this year, but I can t There are a bunch of people running for the ISC 2 Board of Directors, including about a bazillion unendorsed candidates OK, maybe not a full bazillion, but at least seven- and they need at least 500 signatures to get their names on the ballot for the upcoming election I think Rob Graham summed up my feelings very well in this post I think ISC 2 and the CISSP just need to go away, be put on an ice floe and sent out to sea- but since that seems unlikely, I ll support folks who want to make a change Wim Remes made it to the board last year from a write-on candidacy, let s see if we can get more- at least on the ballot Fotolia_24800040_XSisc2 Grecs has done a great job keeping tabs on the candidates, blog posts, and articles on the subject- see this post at the Nova InfoSec portal- it has all the details you need to find most of the candidates, and instructions on signing their petitions it s easy, just send an email to the candidate from the email address on record with ISC 2 including your full name, ISC 2 member number, and a statement that you are signing endorsing I believe getting write-in candidates on the ballot is worth the few minutes it takes, it gives us a choice of BoD members, and I hope it sends a message about the endorsed candidate pool, and that whole process of restricting choice of candidates Signing the petition to get someone on the ballot does not commit you to voting for them in the election, and there seems to be no limit on the number of petitions you can sign In the actual election you can vote for no more than four candidates Please take a few minutes and review the positions of the various candidates, especially The Four Horsemen - and then please sign the petitions of those you feel appropriate Jack http://www.secuobs.com/revue/news/399958.shtmlhttp://www.secuobs.com/revue/news/399958.shtml Secuobs.com : 2012-08-28 19:43:11 - Uncommon Sense Security - I assume if you are a regular Pauldotcom listener you probably know about this week s special episode- but if not it is the 300th episode, and will run from 10 00 am to 6 00pm EDT The lineup of guests and tech segments is outstanding, and we will be raising money for breast cancer research throughout the event Full details are at the episode 300 page, here are just a few highlights Tech segments galore Panel discussions on Mobile Security, Security Awareness Training, What Really Works in Network Defense, and Is Pentesting Worth It The guest lineup is amazing, including Charlie Miller, Wendy Nather, SpaceRogue, David Mortman, Josh Wright, Zach Lanier, Dameon Welch-Abernathy aka Phoneboy , and many more Please join us live on Friday, or enjoy the audio or video recordings later- and help us raise money to fight breast cancer Links to make donations are on the top of the episode 300 page Jack http://www.secuobs.com/revue/news/396301.shtmlhttp://www.secuobs.com/revue/news/396301.shtml Secuobs.com : 2012-08-17 09:13:41 - Uncommon Sense Security - Yes, 2013 There are a lot of great BSides and other events between now and then, but we want to get the word out about this to give people time to come up with some amazing submissions for this challenge The Innovation Challenge is being run in conjunction with Security BSides Las Vegas 2013 by a team lead by A P Delchi Full details of the Science Fair are in the press release below The BSides Las Vegas Innovation Challenge Aka The Science Fair Produced by AP Delchi OVERVIEW Remember the heady days of the science fair Demo parties People coming together to show off the amazing bits of awesome that they had made in their basement It s time to revive this tradition and bring it to the modern day security conference From an open call to the world, twelve teams representing hackerspaces and maker groups will be selected to come to Las Vegas to compete in four categories in front of a panel of judges to demonstrate what they have accomplished Awards will be based on cash and hardware provided by sponsors and donations from across the industry THE CHALLENGE Get your hackerspace, maker group, or team of friends who tinker in your basement and prepare your best projects and innovations to be presented to the BSides Las Vegas conference This is an open call to groups that have established themselves, or are up and coming and ready to amaze the world Submission methods are up to the group, but videos, pictures and live demonstrations are suggested The call for submissions will be seeking entries for the following categories Category One Things that make things Did your group build a 3D printer, laser cutter, CNC device or some other piece of awesome that helps you make other things What did you do with it after you built it For example some folks have built 3D printers and used them to fabricate parts from skateboard wheels to carrying cases Show us what you built, and what you built with it Category Two Biohacking Has your group experimented in gene splicing, implants, aeroponics, automated hydroponics, biofuels or other such biologically inspired projects Bring your beakers and your Jacobs ladders to the people who rarely hear about such things Innovations such as a kit to test food to see if it contains GMOs, Innovative home farming methods using automation and chemistry are what we are after Category Three Vehicles Get out of the garage and in front of the people Have you turned your ordinary car into a hackmobile Converted an old school bus into a rolling data center Does your car have more storage space than your home computer We are talking more than just thumpy bumpy sound systems we want to see your home made Batmobile Atomic engines to power Nessus scanners active, rolling Wi-Fi hotspots activated Make it so Category Four Demos From the good ol days of demo parties, show us what you ve got You will have your moment on stage to display your awesome Remember the talent show scene from Revenge of the Nerds We now have EL wire and wearable MIDI Take us on a magic carpet ride of awesome that shows what your team can do Unlike the other categories, you will perform at the awards party and no one will know until it s over who will win this category Clap your hands everybody, and everybody clap your hands Open submissions start NOW Submissions can be anything from photographs, videos, live streaming or wherever your imagination takes you Six months out from the event a panel of judges will select three submissions from each category for a total of twelve groups who will be invited to come to BSides Las Vegas and make their presentations From there a second panel of judges hand-picked from the old , new, and weird school will judge the submissions with the winners being announced at an open party during the conference THE PRIZES Prize packages will be determined based on sponsor and donor contributions At this time hundreds of trained squirrels are working to contact potential sponsors and contributors to make the rewards the best we can muster As this develops we will keep you updated In each of the four categories, the prized will be 1st place Amazing package of stuff and things, to further your awesome and make your innovations come true 2nd place A not as amazing as first place but still enough to give you toys to take back and build, innovate and make things happen 3rd place Guaranteed entry into the competition next year without having to go through preliminary judging Prizes for the first three categories will be awarded at an awards party to be held after judging The demo competition and awards will happen as part of that party Plans for live bands, DJ s and sponsor demonstrations are in the works SPONSORS DONORS Does the idea of a show of awesome and supporting hackerspaces maker group innovation make you feel warm and fuzzy inside Do you want to donate hardware from your company, or sponsor the event in other ways Let us know We will be reaching out in every way we can to ensure that the sponsors and donors as well as the participants are recognized in the forward march of human driven innovation Security BSides Las Vegas, Inc is a registered Nevada non-profit educational and charitable organization and the contest organizers are ready to work with you to help make this an amazing competition NOW GET OUT THERE AND START BUILDING http://www.secuobs.com/revue/news/394229.shtmlhttp://www.secuobs.com/revue/news/394229.shtml Secuobs.com : 2012-08-13 23:34:21 - Uncommon Sense Security - There was a good thread on the Security BSides Organizers mail list about sponsorships, and I shared some observations and opinions about the best ways for BSides sponsors to get the most value out of their investment It was suggested I turn my comments into a blog post about marketing to InfoSec pros in general So here it is, somewhat cleaned up and expanded, my suggestions for marketing to the jaded, professionally skeptical, and often cynical technology and security pro The key is contact BSides events are different from most events because we want sponsors, not vendors, to keep the atmosphere non-commercial To get real return out of BSides the goal needs to be awareness, not lead-generation although recruiting is generally an exception to the no lead gen idea This applies to most marketing, multiple low-impact points of contact or visibility might be ignored, but they are likely to have real reinforcement value if done properly- and are unlikely to offend or annoy people Simply driving for the leads often gives a pile of useless email addresses, and people who are annoyed with your calls and email This is not to say no leads will come from BSides or other low-impact events, but that they should not be the primary objective With BSides, there may be various underlying goals, brand awareness look at Milton Security, or Astaro awareness of what the company does does now wow, Tripwire does all that now or goodwill and brand reinforcement Barracuda, IOActive, Qualys Forgive me missing many examples here, I m using these based on some BSides experiences, this is by no means a comprehensive list Sponsors who have a defined their objectives will do best- as with most things in life, having a reasonable goal is a pretty good idea No matter what, participation is key to amplifying the message and investment Having people at the event, speaking, volunteering, contributing, that is the key to maximizing value IMHO And remember, I'm in vendor land, I pay attention to these things for work, not just BSides That s right folks, just sending money is great for the event, and has value for the sponsor- but you have to participate and engage to get the greatest results Prove you want to be part of the community, that you are listening, not just broadcasting, and have some fun too This is not to say that when I walk into your booth at a trade show and ask about your product that I am not a lead But when I walk by and someone leaps out to accost me- I am absolutely not a lead And by the way, if you are really serious about lead generation I m sure you can answer the following questions about those leads What percentage of total leads are real , qualified or whatever terminology you use to determine level of effort in follow up You don t treat them all the same do you That would be foolish An easy one what s the cost per qualified lead What is the close ratio on gross and qualified leads What is the profit margin on those leads, and how does that compare to average transactions, and other to events Bonus for the hard-core what s the retention rate on customers acquired at the event Assumes subscription, support, or other recurring costs related to the initial sale What, you can t answer those questions Then surely you are working on setting up a metrics program so you can, right Otherwise, you are probably wasting a lot of time and money, and likely annoying a lot of folks in the process For the record, I spent many years paying attention to lead generation and lead metrics for a variety of industries That was in a past life, but it appears to still be relevant Words like engagement and community are overused by charlatans, marketing gurus, and social media experts- but if you cut the crap and actually engage the community, people will pay attention And while I m on a roll influencer is another abused term, but some people do have more of a voice in the community than others Ignoring people who aren t ready to buy could be a very bad idea if they are interested in what you do Remember, marketing isn t a dirty word as long as they re buying the drinks Jack http://www.secuobs.com/revue/news/393321.shtmlhttp://www.secuobs.com/revue/news/393321.shtml Secuobs.com : 2012-07-01 20:31:03 - Uncommon Sense Security - I can t even think about reading coverage of the Amazon Web Services outage, the hype and stupidity is already overwhelming The cloud has failed us again Yes, and we have failed it again, too- as we have pretty much every preceding technology If I understand it correctly, the logic is that those who put all of their cloud services in a single zone with a single provider, a zone provider combo with a few scars in its history at that, are somehow the victims of a failure they should have anticipated and mitigated Fine, everyone s a victim, whatever I propose the following slogan for AWS AWS, we re cheap and so are you Do it right or STFU But let s not dwell on that, recently there have been a couple of other rant-worth stories We can ease into full blown rant mode with this one 99pourcents of attacks could be stopped by patching At least according to the above article in Infosecurity Magazine There is a huge and flawed leap required to get to this utter nonsense, and it needs to be beaten down, and hard The article says Microsoft s chief UK security advisor Stuart Aston pointed out that less than 1pourcents of attacks are based on zero-day exploits and I ll buy that, but I would obviously like an actual reference, and you know, some of that DATA stuff to back up that claim Then it gets interesting, with an epic leap of logical fallacy leading to Man Leaping Mid-air on Mountainside The implication is clear 99pourcents of attacks could be stopped by anti-malware and up-to-date, fully-patched, software No, it cannot That is so very wrong, on multiple levels First and foremost, you cannot stop attacks , you can only stop or alter the consequences of the attacks You can stop attacks from succeeding sometimes , and minimize the impact on your organization, but the attacks will come no matter what you do And no, it is not pedantic to get wound up over using the wrong terminology in a trade publication Get it right Further, the idea that attacks only fall into two categories, zero-day and patchable, is more nonsense No, patching and anti-malware will not fix logic flaws, authentication failures, misconfiguration, or a myriad of other problems Nonsense and drivel, stop it But that is really only a minor annoyance compared to the rage-inducing drivel which recently came from Ramon Krikken, a research vice president at Gartner Fotolia_40876538_XS As referenced in this Search Security article, Mr Krikken said some logical things, such as there is a clear disconnect between security and application development, and that developers are going to do what they are measured on- which is generate code, not necessarily generate secure code There are some other viable references and observations in there, but they madness comes from his view of Web App Firewalls and other bolt-ons The application security challenge has become so difficult to address through development, Krikken said, that he instead encouraged enterprises to consider an alternative strategy that relies less on developers and more on integrating defensive technologies like Web app firewalls WAFs , database audit and protection DAP products and XML gateways into the enterprise application architecture Secure coding is so hard that we need to rely on WAFs and other bolt-ons to protect us But WAFs are software, and by definition must include web applications, and as we know web software has vulnerabilities, so do I need to put another WAF in front of my WAF to protect it How far does that go We have seen vulnerabilities in WAFs, and we will see more Also, WAFs are far from perfect, they can do nothing about most complex bugs, and can rarely handle logic flaws, so we re just throwing another layer of complexity in the stack to add security Bolt-on security doesn t have a great track record There is a place for WAFs, in my mind they can perform two functions very well filter out basic internet crap, and when properly tuned generally with custom rules they can provide defense against known weaknesses in web applications until the code can be fixed WAFs are frequently bypassed, and are generally difficult to properly tune this nonsense from Mr Krikken has damaged application security He may have said mitigating things, but the takeaway is I don t need secure code, because that s hard, I just need a WAF And that is dangerously wrong If I were a cynical person, I might think Mr Krikken has made his living in the advising people who sell bandages to trauma patients world of information security too long to be taken seriously Glad I m not like that Full disclosure reminder bits I work in vendorland, and have for the past several years- and these vendors use analysts to help focus products and messages Hopefully it is obvious that I have not fallen completely under the spell of industry analysts With at least one notable exception Jack http://www.secuobs.com/revue/news/384840.shtmlhttp://www.secuobs.com/revue/news/384840.shtml Secuobs.com : 2012-06-03 20:21:56 - Uncommon Sense Security - One of the many great things happening this year at BSides Las Vegas is the New Speaker Mentor program The goal is to encourage new speakers to participate in the community, this will help both the new speakers and the community It can be difficult to give that first talk, that s why a team of mentors will work with the new speakers to hone their presentation and provide support for them Full details are available at the Mentorship Program page and information on submitting a talk to this or any track at BSides LV0 are at the CFP page If you are interested in participating, or know someone who might be, please join us for this new program And do it soon, the CFP for all tracks closes June 15 Jack http://www.secuobs.com/revue/news/379229.shtmlhttp://www.secuobs.com/revue/news/379229.shtml Secuobs.com : 2012-05-14 19:44:50 - Uncommon Sense Security - This has been a bad year for technology Not necessarily for the business of technology although it is very hard to discuss the current state of the tech and InfoSec biz without using the word bubble , but for the culture and future of tech I commented on the depressing booth babe situation at RSA in this year s RSA wrap-up blog post, it is an ongoing embarrassment As I ve said before, in the right contexts I have nothing against attractive people, fast cars, or other things normally used to sell cheap beer- I just don t believe tech and security events are the correct contexts There are not very many women in tech, and that is not a simple problem to fully diagnose or correct There is plenty of blame to go around, starting with the way we market to and educate brainwash young folks, but what we do inside tech industries is our responsibility and we have a lot to fix A couple of weeks ago I was at Infosecurity Europe in London It is very much like a somewhat smaller but still big RSA San Francisco event The attendees at least from my perch in the Tenable booth were much more likely to be customers seeking information on the latest products and services than attendees at RSA, which certainly gets a lot of customers- but is really a business-to-business event IMHO I had many great conversations with customers, prospects, and folks who just wanted to chat I m looking forward to going back next year- but I m working out my schedule so that I can get over to BSides London next time BUT, the booth babe phenomenon was a blight on Infosecurity Europe, too Probably worse than RSA Last week I was at InterOP Las Vegas It is a big networking show, with a healthy dose of cloud, and a touch of security I enjoyed the event, and hope to put together some thoughts about what security means to a non-security crowd Sadly, there were more booth babes than in years past Special dishonorable mention goes to WatchGuard for succumbing to the lure of the booth babe over technical innovation in a field they dominated a decade ago And then there was the Dell fiasco Dell had a partner event in Denmark and the moderator they hired for the day was, well, not moderate In a series of demeaning and sexist remarks following Michael Dell s talk Mads Christensen said some really inappropriate things The primary source of coverage is this post at Elektronista if you are a sentient being, you ll probably want to skip the comments , and Molly Wood has a good follow up post on why we need to keep talking about women in tech Sadly, Dell has only apologized weakly thus far, and no actions appear to have been taken It looks like Christensen issued a non-apology I m sorry if you were offended The ability to hire and retain good employees is critical to a company s ability to execute, and with a dire shortage of candidates for many security and tech roles Dell s mistake and subsequent inaction may cause them some HR pain Let s hope it does And, not to be completely negative here, ExtraHop Networks gets credit for going in a different direction to draw attention to their booth And they are doing it because what they do works, not as a political statement Because it works, the excuse for using booth babes, is turned around here See this post at Network World for details and links As a reminder, I m an old, white, heterosexual male with a great job I m supposed to be part of the problem, not one of the voices ranting about it I can t imagine my outrage if I were a woman trying to deal with the tech industry It is unacceptable By the way, I ve been an old boy for a while now, and yet I have not received a single invitation to join any of the much-heralded Old Boys Clubs Perhaps I ve done something to offend the Old Boys Clubs, such as not wanting this industry to be one Jack http://www.secuobs.com/revue/news/375452.shtmlhttp://www.secuobs.com/revue/news/375452.shtml Secuobs.com : 2012-05-05 01:48:35 - Uncommon Sense Security - A recurring theme for me lately is explaining the significance of taking things in context When discussing vulnerabilities with people I do this a lot working at Tenable , some folks don t intuitively grasp that context is critical in translating a finding into usable and valuable information Let s shift gears, a few weeks ago I was in Texas for BSidesAustin While I was there I picked up a couple of bumperstickers, this one s my favorite IMAG0667 For those who don t know, that s a stylized flag of my home state of Texas, and Texas is always trying to secede from something What does this have to do with context Imagine this bumpersticker on the back of a Cadillac Escalade in Houston, there s the stereotypical Texan sick of the meddling of the federal government and the liberal hatred of the Second Amendment Now, let s picture the same sticker on the back of a Toyota Prius in Cambridge, Massachusetts- the sentiment is more likely get rid those ignorant hick psycho cowboys who are screwing up America Context matters So, back to that vulnerability, opportunity, threat, bug, whatever it is you are contemplating You have to ask yourself Is this on the back of a Houston Escalade, or a Cambridge Prius Not literally, of course, and certainly not out loud- people would give you the kind of look I m used to getting BUT, you do need to assess how the vulnerability is exposed and what mitigations are in place or possible how hard the threat may be to execute against your situation whether there is a graceful failure mode if the opportunity turns out to be inopportune, etc Consequences of the action or situation are also part of the context the world is full of unintended consequences, please limit your contribution to them I guess what I m saying is don t make decisions in a vacuum, because that would suck Jack http://www.secuobs.com/revue/news/373840.shtmlhttp://www.secuobs.com/revue/news/373840.shtml Secuobs.com : 2012-04-21 02:22:47 - Uncommon Sense Security - Anton Chuvakin has a good post over on the Gartner blog about security monitoring and cloud systems Depending on your point of view and or experience, you may think his comments are thought provoking, or possibly obvious this will probably depend on where you are on the cloud adoption path I agree with the good Dr Chuvakin, but my recent conversations with people trying to come to grips with monitoring and log analysis have given me some contradictory insights Anton is correct in his mapping of visibility and coverage, and on the observations of the perspective of CSP-MSSPs Cloud Service Provider Managed Security Service Provider , but there is one point I have heard loudly from some people- that in spite of some MSSP s theoretical threat intelligence and perspective advantages, they simply do not understand the businesses they serve well enough to provide enough value to justify their expense In my recent peer-to-peer session on What Works in Log Analysis at the RSA Conference some participants were struggling to pull log management and analysis back in-house after outsourcing it Their battle was that the MSSPs never lived up to the promise of economies of scale and advanced insight into traffic anomalies, possibly due to shortcomings on the part of the MSSPs, and possibly because the advantages of scale and big picture view were offset by a lack of focus on the specific circumstances of the customer As with many other issues in business, you hopefully know your situation better than anyone else I m not saying that you can t outsource SIEM, log management analysis, or anything else for that matter- I m just saying you need to understand the trade-offs and make sure you monitor the MSSP until you are satisfied- and then keep monitoring them Any effort you duplicate in monitoring the performance of your CSP-MSSP or MSSP is cheap insurance- the last thing you want to face is a surprise failure of your monitoring service and the sudden need to rebuild an in-house monitoring program You thought getting all that data pushed out to the MSSP was a pain- just imagine trying to get it back Jack http://www.secuobs.com/revue/news/371204.shtmlhttp://www.secuobs.com/revue/news/371204.shtml Secuobs.com : 2012-04-10 22:49:33 - Uncommon Sense Security - I did it to myself if I m honest I will grumble about airlines, the TSA, hotels, cabs, etc- but the great thing is that I get to see old friends, meet folks, and have some engaging and inane conversations Some of my upcoming adventures are below- if you ll be at these events or in the general area either find me and say hello, or hide from me, as you feel appropriate I ll be at BSides Austin later this week, participating in a cloud computing panel and later giving an update on the stress and burnout research And joining in Hackers on a Duck III Next week I will be helping at SOURCE Boston and MassHackers BeaCon both in Boston , followed by a trip to London for Infosecurity Europe where I ll be working the Tenable booth and hopefully sneaking over to BSides London After just enough time to do some laundry, I ll be at NAISG Securanoia in Boston, helping with the event and speaking on the state of information in security, then off to InterOP in Las Vegas where I ll join the panel So you want to be a Tech Influencer Next stop will be BSidesROC, in Rochester, NY, and then maybe home before heading out again to Las Vegas and who knows where else Travel arrangements per that old Johnny Cash song I m not hard to spot, subtlety is not one of my strong suits- find me and chat Jack http://www.secuobs.com/revue/news/369195.shtmlhttp://www.secuobs.com/revue/news/369195.shtml Secuobs.com : 2012-04-02 04:25:17 - Uncommon Sense Security - My last post had some incomplete thoughts this is not unusual , and I decided to address some of them this is unusual I mentioned that segmenting your network was advantageous for a variety of scanning and monitoring reasons, but I didn t didn t elaborate, let me do that now There are some great systems for data correlation which can tell you significant things- for example whether that IDS alert was for traffic targeting a host vulnerable to the specific attack detected Unfortunately, we don t all have the resources to have such systems, or the time to tune them If, however, you have an effectively segmented network and see an IDS alert for an attack against Internet Explorer in a segment with only Linux servers you can relax On the other hand, if you see alerts for an event targeting a Windows bug you have yet to patch, and it is inbound to your Windows segment- it is time to crank up the caffeine and get busy You get the idea And it extends beyond IDS, even simple network stats can become informative- anomalous traffic is much easier to spot in a segmented network, a sudden increase in inbound traffic to a workstation segment, outbound requests from web servers, or SMTP where it doesn t belong are just a few examples You can certainly sort this out with a little analysis, but in a well segmented network you can reduce the amount of thought required to make react or relax decisions Some of the other reasons I mentioned are more obvious, keeping traffic in local segments where possible to minimize network noise, and protecting systems from having Something Bad rip through the network unhindered A couple of thoughts on the segmentation-for-security concept are worth elaboration grouping by OS makes sense from a management perspective, but if you do that it won t stop the aforementioned Bad Things from running wild, so consider how best to segment for your situation and needs It may be that the security disadvantages of putting all similar digital eggs in one basket are offset by the administrative advantages Knowing you can scan, patch, and monitor quickly and accurately may be a stronger defense than splitting up your Windows environment On the other hand, if it takes a long time to get patches deployed, the added separation may buy you time when bad things happen before patches or mitigations are deployed If you do segment for security, you need to put meaningful rules in place to restrict the traffic or you are just adding latency and complexity without adding security I would like to tell you that deciding what traffic to allow will be easy, but it probably won t be First, note that I said traffic to allow , that is because a default block rule is needed internally as well as for inbound and outbound traffic to the wider internet You may need to temporarily allow all traffic internally and perform analysis on what ports and protocols traverse the links, then build rules based on existing traffic This is not ideal, as you could allow inappropriate traffic based on grandfathering bad behavior, but this is a starting point as you implement the filtering rules make sure they make sense As always, understanding your environment is critical to doing this properly Still not a complete story, but hopefully this has filled in a few holes in my last post and given a bit more insight into how and why to implement or extend segmentation Jack http://www.secuobs.com/revue/news/367487.shtmlhttp://www.secuobs.com/revue/news/367487.shtml Secuobs.com : 2012-03-31 03:29:09 - Uncommon Sense Security - Network segmentation faults, that is- not those pesky software problems Penetration testers and others often say network segmentation doesn t stop attackers, and that at best segmentation only slows them slightly Systems and network admins often complain of needlessly complicated routing and access rules, latency, and other problems What these people say is largely true and also largely wrong Because they are doing it wrong, and for the wrong reasons Network segmentation does not mean simply adding a hop between network segments to confuse and exhaust the poor little packets, and it is not just a tool for restricting traffic for controlling access Obviously restricting traffic and isolating access in logical network divisions by function, type, criticality, sensitivity or other reasons relevant to your environment is a logical reason to think about segmentation, but that is only the beginning VLAN if you must, but I like physical segregation where possible Especially for the most high-traffic and most sensitive segments I prefer to use a firewall with a lot of real ports, not one of those crappy things where most of the ports are just switch ports for the LAN Just make sure whatever gear you use can fling packets without adding noticeable latency Thankfully, broadcast storms are largely a thing of the past, but isolation can still help in diagnosing network oddities Not pretty or sophisticated- but sometimes disconnecting segments is the fastest way to find problems I can unplug a lot of patch cables or power cords in the time it takes to log in and poke around in most network gear where s the damned CAM table shown in this version of EXPLETIVE Also, the switch router firewall interfaces are great places for packet captures when you are having one of those the packets hate me days You know, the ones where you go digging for the old taps and suck traffic right off the wire or fiber Why else should you segment Network and systems management can be enhanced by segmentation and isolation, as can performance- patch and systems management servers, departmental servers, printers and more can be placed in the most advantageous segment of the network For systems which can t be in the target segment, traffic can be restricted and directed to limit noise on the wire or fiber, or ether, whatever And finally, near and dear to me lately, we have scanning and monitoring All your Apache servers in one segment Great, patch or vulnerability scans can regularly scan that segment with minimal stray results if the scans have the relevant tuning The great unwashed of Windows workstations Hammer those with scans looking for unpatched RDP or whatever the Next Big Bug is- without annoying the PostgreSQL servers over there in the DB segment It goes without saying that you put scanners in each segment to minimize network noise And not just active scanners passive scanners, network analyzers, netflow sensors, IDS sensors, full packet capture systems, and more can benefit from segmentation and isolation of traffic This even applies to virtual segmentation Well, some of it does, and there are some virtual equivalents for some things Jack http://www.secuobs.com/revue/news/367303.shtmlhttp://www.secuobs.com/revue/news/367303.shtml Secuobs.com : 2012-03-12 10:27:17 - Uncommon Sense Security - I have a habit of tearing up the various reports and surveys that wander past my view in the world of information security This is often really unkind of me, because we need to share more information on what works and what doesn t if we are going to move forward in this struggle to protect whatever it is we re trying to protect Companies like Veracode, Verizon, Mandiant, Trustwave, and others put a lot of effort into sanitizing, organizing, and distributing the information they gather in their various endeavors, and they share it for free or at least just an email address In a desert largely devoid of data, these reports are oases of information Umm al-Ma Lake - Desert Oasis, Sahara, Libya And here I am being an ungrateful bastard, trying to x-ray the teeth of these gift horses, then complaining loudly about gingivitis, impacted molars, selection bias, confirmation bias, corporate agendas, and other things Crest and a good flossing will never fix Fotolia_1358404_XS The problem is that a lot of the data leaves me wanting more More details on the data we get, just plain more data , and more context I also want more honesty about the shortcomings of the reports and data Let s not even talk about some of the bizarre conclusions And it makes me crazy crazier when I see contradictions in a single report, then one report contradicts another company s report, then year over year reports appear random rather than additive or complementary When you read this year s Report X from Company Y, ask yourself how the information presented made it into that dataset In the case of the breach reports remember that they are about failures- organizations which were 1 Compromised 2 Discovered it probably not themselves 3 Called Company Y to help them solve it 4 And could afford Company Y s rates, and paid them Suppose that skews things Yeah, me too Where are the success stories If you see me talk about any of the career studies I m involved in you will generally hear me start talking about known flaws in the data, after the disclaimers and caveats we move into what we feel comfortable saying about what we have collected Of course, I m not trying to facilitate a transfer of funds from your organization to mine, so maybe its unfair of me to expect the same from those with a financial motive And for closing complaints stop with the moronic USA Today-style infographics which tell me less than text would Combine the graphics with mixed dark on light and light on dark type background, add PDF format- and we can t read them on anything but a large monitor or in dead-tree mode Just make the reports available in epub mobi so I can read them on my terms and not be forced to read them in the deity-forsaken PDF format these always come in And, thanks for doing all that work Just stop making me hate you for it Jack http://www.secuobs.com/revue/news/362848.shtmlhttp://www.secuobs.com/revue/news/362848.shtml Secuobs.com : 2012-03-10 02:50:34 - Uncommon Sense Security - It was a great week for Security BSides I post semi-regular updates to the BSides Google group if you want the ongoing story, but a couple of high points I met with Mike Dahn and Gene Kim for a few Board meetings, we reviewed accounting, roles, 501 c 3 filing status which is waiting for CPA to complete the audits , how best to support BSides event organizers, and more We had a great conversation with folks from RSA and the RSA Conference We all want to minimize needless tension, and RSA was gracious The event organizers for BSides San Francisco will continue the conversation with RSA in the coming months I had some good conversations with folks from Black Hat This will be tricky, we have a direct overlap on dates, and a greater overlap on speakers, sponsors, and attendees than we do with RSA But, we ve started talking And finally, planning for BSides Las Vegas 2012 moved forward through several good conversations during the week The RSA Conference was the RSA Conference It is where a lot of business of InfoSec gets done I thought it was better than the past few years as far as talk content As has been observed by many, it is not generally the place for cutting edge research, and the expo is all about selling security products It can be disillusioning to see the crass commercial side of our business The split between those who say RSA is great, and those who leave scarred and scared seems to be whether you have productive meetings during the week and I had a lot of those this year Our Burnout panel went well, we filled the room on Monday afternoon Members of the team will be presenting at other venues including AIDE and possibly Infosec UK I ll post more about the career research, as well as the burnout project, as those efforts evolve Amazingly my P2P session on What Works in Log Analysis was packed, too Of course, we had more questions than answers, but people have realized how much data we are missing in our own logs, and want to ease the pain of finding the goods All the usual vendor hype and FUD was out in full force on the Expo floor and beyond Big Data was the buzz phrase of the year, and it seemed at least as poorly defined as APT, Cyber, Cloud, and other past buzzes even though most have real definitions to those who actually know what they are talking about Some glaring examples Ferraris and firewalls I get the speed reference, but really Special dishonorable mention goes to Bit9 with the little girl in their poster- ugly scare tactics are ugly Good vendors blighting themselves is a recurring theme, whether it is execs telling untruths and trashing the competition, or folks showing ignorance in talks, or just general boorish behavior- there was plenty to see Let s not even discuss what the bad vendors do Special dishonorable mention in this category goes to NetOptics, a good company with great products I have nothing against fast cars, attractive women, or network tools- in the proper context All three in one obnoxiously loud booth is not the proper context for any of them, especially when I just want to see the latest in traffic capture tools Sadly, NetOptics seems to think this is the way to present themselves at RSA, they were a bit obnoxious last year too There were certainly worse vendors there, but it really annoys me when good companies do bad things The usual fear and hype mongers are somehow easier to ignore than people tarnishing their own otherwise good image And yes, we are still dealing with the booth babe phenomenon, and NetOptics was far from the only vendor guilty of this I have an answer to this, but it will have to wait for Las Vegas It involves fishnets, short shorts, and probably eye bleach You ve been warned Finally, thank you very much to my fellow members of the Security Bloggers Network for voting this the most entertaining security blog of the year It may just guilt me into writing more But don t hold your breath I do have a backlog of posts to write for my drunken con, er, travel blog Jack http://www.secuobs.com/revue/news/362675.shtmlhttp://www.secuobs.com/revue/news/362675.shtml Secuobs.com : 2012-02-12 16:05:37 - Uncommon Sense Security - You know those posts where I just phone it in and suggest you go read something This is one of those Take a few minutes and head over to the Idoneous Security Blog and read Insecure at any speed, it is a great post from someone who kows what she s talking about You ll probably want to read the rest of what you find over there, too Now, back to digesting the Trustwave report Where s my coffee Jack http://www.secuobs.com/revue/news/357351.shtmlhttp://www.secuobs.com/revue/news/357351.shtml Secuobs.com : 2012-02-07 19:59:32 - Uncommon Sense Security - I ll be moderating a panel at RSA on Monday, Feb 27 between 12 30 and 1 40, session PROF-001 The topic is a continuation of the work we have done in the past year on Stress and Burnout in the Information Security Community Although the ongoing attitudes in infosec careers survey covers a much broader range of topics than stress and burnout, some of the relevant data collected from that survey will be discussed in the panel A reminder the Career Attitudes in InfoSec survey is open for another week, please see this blog post for details and I would appreciate it if you consider taking the survey And thanks to everyone who took the survey and helped to spread the word about it Cross section of tree trunk showing growth rings I ll also be leading a peer-to-peer session on What works in log analysis The session is P2P-205C on Wednesday Feb 29, from 2 10 to 3 00 I really want this to be a peer-to-peer discussion and exchange of ideas, so if you are interested please come ready to share your thoughts and experiences We gather a lot of information in logs, but we don t always gather the right information, or use it wisely The Verizon DBIRs show that log analysis hasn t led to incident detection in the cases they have worked, but that over 60pourcents of the time there was relevant information in the logs Does that mean we aren t using the data properly or at all Or does that mean that the folks who do log management and analysis properly don t end up having to call Verizon for incident response services Hmm The rest of the week you can find me at BSides San Francisco, wandering the floor and talks at RSA, at the Tenable booth at RSA, and of course, at the Tonga Room and probably Jack s Cannery Bar Jack http://www.secuobs.com/revue/news/356504.shtmlhttp://www.secuobs.com/revue/news/356504.shtml Secuobs.com : 2012-02-03 11:42:00 - Uncommon Sense Security - We always hear calls for more information sharing in InfoSec, but is it really needed or helpful What is the point of me telling you I was compromised by spear phishing, SQL injection, cross site scripting, cross site request forgery, default credentials, or anything else we ve know about for years If you are ignoring all of the well-known risks, it is a waste of my time preparing the data and sharing it, and it is a waste of your time reading it This isn t as disturbing as some of the oversharing we see on the internet, but it may be more distracting Thank-you-for-Oversharing Maybe you should just do what you already know needs to be done Don t give me that look, you know exactly what I mean We need to talk about security sometimes, but more often we need to shut up and DO security On the other hand, if you are taking things seriously and are at least making a good faith effort- then knowing the specifics of what attacks are in the wild, who they are targeting, and details of the compromise timeline could be very valuable in prioritizing your defenses and focusing your monitoring The New School folks are much more eloquent in explaining the value of information sharing done properly, so I ll refer you to them for more on that Oh, and if you do choose to share information, the more RAW DATA you share, the better Add context and color, share observations, theories, and maybe even a conclusion or two- but give us the data whenever possible And go easy on the images, a good infographic is a thing of beauty probably because of their scarcity , but overthought and underdelivered graphics seem to be the norm Don t do that Jack http://www.secuobs.com/revue/news/355750.shtmlhttp://www.secuobs.com/revue/news/355750.shtml Secuobs.com : 2012-02-01 16:58:23 - Uncommon Sense Security - It looks like all is well, or at least functional The folks at the RSA Conference are issuing waivers for RSA sponsors and exhibitors to participate in BSides San Francisco I ve swapped messages with one of our friends at RSA- I do not know how things got as tense as they did as quickly as they did, but it seems that it has been resolved almost as quickly angry-mob Let s be honest, there will be tension in situations like this- the events are adjacent, occur on overlapping days, and people cannot be two places at once The RSA Conference is an enormous undertaking and the people who put it on are protective of their enterprise- and those of us in the BSides community are even more protective of our community BSiders are all volunteers, busy with jobs, modern life, and the challenges of running events on tight budgets- the folks at RSA are in their crunch time thousands of attendees, hundreds of exhibitor companies, hundreds of speakers, and many others are bearing down on them, the pressures must be significant In light of that, it is easy to see how what should be a constructive conversation could end up being, well, not constructive But that is behind us If you are reading this, you ve seen the BSides perspective, here is RSA s post on this There will be frustrations with each other again, but hopefully we can minimize those- I still see more mutual benefits than challenges, but the critical thing for now is that BSidesSF will happen as planned, and the sponsors of that event will not be placed in an uncomfortable position BSides organizers have worked, or at least communicated, with almost every A-Side event in recent times The relationships generally range from outstanding to at least understanding, and that is our goal Note There is one parallel event where things really are competitive but I can t even think about it now Some day I will have to send a peace dove over to them and see if they return it, or cook and eat it that day is not today I ve learned a little more about event management and conflict resolution this week In retrospect I should have picked up the phone and made a call or two to try to sort things out directly I do want to thank all of the sponsors of BSides San Francisco for working through this, and thank those who stepped in with sponsorship when things looked questionable Among those, Lee Kushner of InfoSec Leaders deserves special thanks for his significant moral and financial support of Security BSides San Francisco I am looking forward to both RSA and BSides later this month I ll be speaking at RSA for the first time this year, and I am also leading a peer to peer session for the first time more on that in another post For those who are surprised at my conciliatory tone, and disappointed by my lack of vitriol, I apologize- I just don t see any value in dwelling on past frustrations in this case Thank you to everyone who showed their support for BSides, the event and the community Jack http://www.secuobs.com/revue/news/355269.shtmlhttp://www.secuobs.com/revue/news/355269.shtml Secuobs.com : 2012-01-28 23:05:45 - Uncommon Sense Security - I thought we were making progress last year, but I may have been mistaken The RSA Conference is enforcing the non-compete clause in their sponsor and exhibitor agreements, that means a written waiver is required for an RSA Conference sponsor exhibitor to hold or participate in anything RSAC feels is competing within five miles of the RSA Conference their definition of competing is pretty broad, too Last year they issued waivers for BSidesSF sponsors, but so far this year they are refusing to issue waivers For more details on this situation, please see this post at Infosec Island It would be great if you politely let RSA know that supporting the community is not a bad thing They really don t need to feel challenged by a free event drawing a few hundred people next to their commercial event drawing well over 10,000 Don t go flaming RSAConference on Twitter or anything like that, but if you are a sponsor exhibitor, speaker, or attendee- maybe take a minute and let them know how you feel I will be speaking at RSA this year, partly because one of the comments we heard last year was that many BSides speakers don t even submit to RSAC That seems unlikely to happen again if I have misunderstood RSA s true attitude towards BSides Oh, and if you happen to know anyone who is not exhibiting at RSA who might be interested in sponsoring BSidesSF- you know where to send them Thanks Jack http://www.secuobs.com/revue/news/354642.shtmlhttp://www.secuobs.com/revue/news/354642.shtml Secuobs.com : 2012-01-23 17:49:36 - Uncommon Sense Security - I saw a bumper sticker the other day that made me think about the trite things often said in InfoSec The bumper sticker said paraphrasing War never solved anything, except ending communism, fascism, nazism, and slavery While somewhat nonsensical, I m sure a lot of folks cheer the sentiment I really wasn t in the mood to interrupt my vacation to discuss the state of global communism, the fall and pending rise of Russia and China and its sphere of influence, and the economic power wielded there Nor did I wish to engage on fascism s passing due to natural causes when Franco died a comfortable old man I ll give him the nazism thing, but given the number of people enslaved globally that is far from ended My point is not about the politics of war, but about the temptation to buy into things which sound right and make you feel good Things are rarely that simple Let s consider anti-virus, the Schrödinger's cat of InfoSec reported to be both dead and alive, and we don t know for sure until we open the malware The truth is that it is alive, but sickly hairballs everywhere in spite of special diet of CPU and RAM If the answers were bumper-sticker-easy, InfoSec wouldn t be fun Of course, some days especially post-vacation Mondays I would settle for less fun Jack http://www.secuobs.com/revue/news/353581.shtmlhttp://www.secuobs.com/revue/news/353581.shtml Secuobs.com : 2012-01-07 18:23:04 - Uncommon Sense Security - I have a favor to ask- please consider taking a survey on attitudes about your career in Information Security I m helping a group of smart folks look into what makes InfoSec folks tick, and what makes us twitch This survey is mostly focused on your current situation, and this specific survey was selected because it is a standard measurement recognized by folks who study such things this means aggregated results can be used for comparison with other professions where there is survey data available and averages The survey is copyrighted, and has some license restrictions imposed on anyone who uses it, the most notable is that unique logins are required for anyone taking the survey This means we need you to send a request to take the survey, and provide us an email address under your control so we can reply with a link to the survey, and enter the address in permitted users list We do not care what email address you use, so feel free to use an anonymous account from any of the freebies like Gmail, Hotmail Live, etc The survey site requires a username, we are using the email address you provide as the username- again, we re happy with anonymized addresses If you request to take the survey we do ask that you follow through and take it, each email address we enter counts as a licensed survey, whether completed or not and we pay per license to administer the survey We are going to give a 100 Amazon gift card to a randomly selected survey respondent as an incentive, if you are interested in that and use a disposable email address you may want to keep the account until early March when the winner is notified Fotolia_21437330_XS2 What to expect The first step is to request access to the survey and provide consent to participate see below We will send a survey link to each person requesting to participate At the survey site enter the email address used for the request, create a password to complete account setup, then continue to the survey The survey starts ten demographic questions, these will help categorize results, and discover patterns- but they are optional, if you wish to skip any, please do The survey itself has a sample question and sixteen real questions, all multiple choice Expect to spend ten to fifteen minutes total on the registration and survey Unless you obsess over stuff, like I often do- but even then it shouldn t take much more than fifteen minutes The privacy and confidentiality bits The survey data is downloaded with email addresses included, they will be stripped from the data immediately We will keep two files, one with email addresses only for notifying the winner of the gift card , the other with raw data demographic data and survey results When the current project is complete and winner notified, all email addresses will be deleted from files and email system used for the survey, and we will request the data be purged from the survey administration site Anonymized results will be analyzed, and the results presented at appropriate venues, but raw data and email address files will always be encrypted when retrieved from the survey host, both file-level and full-disk encryption, using two different encryption applications There is more info on the survey website If you would like to participate, please submit the Contact form on the survey site, or send an email to info careerstudyorg consenting to participate and we will reply with a link to the survey I know you have a lot of demands on your time, I would be grateful if you would consider participating in this survey and sharing ten to fifteen minutes to help our research Thanks Jack http://www.secuobs.com/revue/news/350795.shtmlhttp://www.secuobs.com/revue/news/350795.shtml Secuobs.com : 2011-12-26 21:42:31 - Uncommon Sense Security - Back in the Dark Ages I managed parts departments for a few car dealerships This was back in the land before time, when dinosaurs, Renaults, and even worse-Peugeots, roamed the US Not this long ago Not this long ago One of the lessons I learned was about the curious views some people have about errors My introduction to this was during a discussion of inventory results with another manager Using made up numbers- let s say we have 100,000 in inventory on the books, we count everything, make all the required adjustments, and end up with 99,000 in inventory There s a grand missing, but that s only one percent, right Assuming the industry standard of annual inventories, being off by one percent isn t bad, right Here s where a wrong idea leads us into the weeds, and compounds future errors in thinking The inventory dollar value was one percent short, but that does not mean the inventory was only off by one percent A more likely situation is that the inventory was 5-6,000 short on some items, and 4-5,000 over on others Someone got the wrong part, maybe swapped it for the correct one, and no one corrected the transaction history Maybe the wrong parts went out to customers who never used them not going down the auto body shop insurance industry rat hole today Who knows, but inventory always drifts Back to the numbers let s assume a 100k inventory with 6k in shortages and 5k in overages The value of the inventory is only off by one percent, but the inventory is off by eleven percent The errors do not offset, they compound What counts in inventory management is the ability to hand the customer the correct piece when they need it, incorrect counts on the shelf induce errors in ordering systems, obsolete parts returns, order shipments and other areas It is a measurement problem at heart, in this case using the wrong scale dollars to measure inventory accuracy I m not saying dollars don t count, but some people always claim they are all that count Explain that to the guy who needs a left front wheel bearing for his Peugeot 504 but your inventory is wrong and you only have a right side bearing Hasn t the poor guy suffered enough Luckily for us, this is just a walk down memory lane, I can t think of any situations in InfoSec where we pretend offsetting errors compensate for each other instead of compounding the problem Nor can I imagine ever getting the metrics wrong It is awesome being able to be smugly superior to stupid folks like the guys down at the garage, isn t it Jack http://www.secuobs.com/revue/news/349065.shtmlhttp://www.secuobs.com/revue/news/349065.shtml Secuobs.com : 2011-12-21 01:33:36 - Uncommon Sense Security - This seems to be the year for ridiculing predictions, but I m not jumping on that bandwagon I am here to help you get the most from the meaningless drivel you spew in the name of prediction and more importantly, page views I have invented a brilliant methodology for measuring because it is all about the metrics, isn t it your drivel, and the drivel of others, in this most festive time of the year No, not the Judeo-Christian-Pagan-Northern Hemisphere Damn it s getting cold and dark Holiday season , but the I m too sick of this crap to write anything meaningful, so I ll just phone it in until next year season Admittedly there is some overlap With this altruistic goal in mind, I present you with the Pandering Pentagram of Prognostication Fotolia_35020414_XS2 The five points of the pentagram represent the key elements of good predictions, get them all and your prediction will land in the center of the pentagram, assuring a center brain shot to your victim I mean reader Whatever The five elements are outlined below, miss even one and your prediction may be off target and you will fail to hit your target Your prediction must be self-serving Your prediction must suck up to your customers, prospects, or others whose favor you are trying to win You must oversimplify complex issues to the point of nonsense Predictions must slight your competition And the big one, always play to Fear, Uncertainty, and Doubt There you go, Jack s Pandering Pentagram of Prognostication Use it wisely Jack http://www.secuobs.com/revue/news/348313.shtmlhttp://www.secuobs.com/revue/news/348313.shtml Secuobs.com : 2011-11-21 11:30:12 - Uncommon Sense Security - It will not die, and this won t end it, but I have to try False positive findings are hotly debated by some folks, but that debate often centers on erroneous definitions or assumptions Regardless of the type of system we are discussing, IDS, Anti-Virus, vulnerability tool, whatever- there are some basic ideas involved The Basics There is a defined condition which either exists, or it doesn tThe tool or utility detects it, or it doesn tThis gives us a pretty simple set of situations, expressed in the table below Detected Not Detected Condition Exists Valid True Positive Invalid False Negative Condition Does Not Exist Invalid False Positive Valid True Negative There are issue which complicate this simple picture One is how strictly we define the condition If I want my anti-virus to detect viruses and it misses one- that is a false negative to me It is supposed to detect malware, it missed, simple Unfortunately, modern malware is constantly evolving and signatures and other triggers are frequently behind the malware- this means the tool misses something it is not configured to detect You are still left wiping and rebuilding the computer, but there s something to consider while looking for the right CD, DVD, or image file For what it s worth, I still consider that a false negative, we use A V to prevent malware in general, not to block WORMBOTTROJANX8703 or other specific Bad Things with even more pathetic names We should be able to ignore two of these for this discussion, the green ones I have labeled Valid Note I said we should be able to ignore Sadly we can t, because true positives are often dismissed as false positives Sometimes it is because we don t care about the result, or it is not relevant in our environment Sometimes it is because we can t handle the truth HandletheTruth Thanks to Graham Lee, iamleeg, I now refer to these as Unacceptable Positives Regardless of our level or lack of concern, or the discomfort caused by the truth, if the condition exists and it is detected it is not a false positive It is often easy to prevent the utility from reporting on findings, either by changing how it searches, or how it reports on findings Go ahead and accept the finding and dismiss it in your environment- just don t call that a false positive Real false positives certainly do exist, and can be a burden There are a myriad of reasons they occur, some specific to the technology in question Anti-Virus may trigger on a file which looks close to a known bit of malware People can screw up signatures There may be performance trade-offs, looking at larger chunks of network traffic may provide more accurate detection and identification at the expense of speed, either of the detection system, the network when inline , or both Slow down the network, users scream Slow the system, traffic overruns the utility and some things will get by Tune for performance, miss a few detections For scanners, there is a limited amount of information which can be determined in a scan from outside a system An exhaustive network scan can find a lot of things, but it can also cause network problems due to the load placed on the network The limited information available without logging in to inspect a system can lead to inaccurate detections by the tool, positive or negative Note this is why I always recommend credentialed scans when possible- but that s another post True negatives are safe to ignore, nothing is reported because nothing is there Unless, of course, you are a typical security-minded person, in which case you always wonder if something has been missed Caution leads us to try multiple tools to validate our non-findings when budget and time allow False Negatives are very real, too This is where anti-virus gets beaten up, and generally for good reason It isn t only A V, network load when using scanners and sniffers can lead to missed detections Sometimes the signatures just don t work Sometimes the condition we are trying to detect has changed This is true for everything from malware to operating systems- new versions come out, patches are applied, and detections change Remember that the nature of the system will dictate the tolerance for errors A good example can be seen by comparing IDS true passive intrusion detection systems and IPS inline and blocking intrusion prevention systems While the technologies are very similar, the goals are different A good IDS will not miss detections, false negatives are a serious problem because we don t want to miss anything- this means false positives are more acceptable if the trade-off means not missing Bad Things An IPS false positive means we block valid network traffic, users wail and gnash teeth, and security takes a beating for hindering the operation of the organization again Keeping false positives at a minimum is a priority, this means it is more likely that some false negatives will occur If the cost of the occasional missed detection is lower than the cost of false positives blocking valid traffic, the trade-off is worth it Knowing the strengths and weaknesses of your environment and the tools you use is important in tuning for optimum results Yes, tuning- you share responsibility here- choosing the right tools and using them properly will reduce the pain that leads to tedious blog posts like this Jack http://www.secuobs.com/revue/news/341707.shtmlhttp://www.secuobs.com/revue/news/341707.shtml Secuobs.com : 2011-11-19 03:11:43 - Uncommon Sense Security - Not that you are likely to forget, but if you are an ISC 2 member hold the CISSP or other certification , the election is on for the Board of Directors There were a handful of unendorsed candidates who tried to make it onto the ballot, One candidate, Wim Remes, made the ballot Two others, Rolf Moulton and Javed Ikbal missed making the ballot, but are running as write-in candidates And, of course there is the endorsed slate First you should vote if you are eligible That s the most important part- participate, and vote for those you feel best represent you Second My opinion may not be relevant to you, but I m voting for Wim And writing in Rolf and Javed I think Wim can win, and I hope he does- I have faith in him I also hope that frustration with ISC 2 can get Javed and Rolf on the board, too You can vote for up to four I ll be voting for three I will say that at least one of the board elders represents what I feel is wrong with ISC 2, and to a certain extent, InfoSec Choose wisely, and hope it makes a difference Oh, yeah- it is the ISC 2 website, so the links don t go where you expect and one thing labeled ballot dead-ends at the candidate page At least I didn t see any certificate errors this time If you have problems voting, complain to ISC 2 Go here to vote https webportalisc2org custom ElectionBallotaspx YEAR 2011 If you choose to write-in candidates, please make sure their names are spelled correctly There are instructions on both Javed and Rolf s websites Jack http://www.secuobs.com/revue/news/341545.shtmlhttp://www.secuobs.com/revue/news/341545.shtml Secuobs.com : 2011-11-08 04:30:00 - Uncommon Sense Security - The end of the year is approaching, so the annual flurry of predictions must be right around the corner Or maybe that smell is just a septic pumping truck, the contents are similar, except there are regulations covering the disposal of septic waste Here are my predictions People will predict stuff, and for the most part only their successes will be remembered Some people will predict the same things they have been predicting for years or maybe even decades , and if they are eventually right , no one will ask about all the times they were wrong, and even of they did it would be shrugged off as I was right, just off on timing 2012 will not be the year of Linux on the desktop And because I feel compelled to make one real prediction, Windows 8 as a desktop OS will be as disappointing as Windows 7 has been successful No matter what is predicted or what actually happens, randomness will not get the credit it deserves as people look both forward and backwards in time Admitting that life is a crap shoot doesn t get you the respect it should Dice, random or predictable I ve listened to a couple of interesting books in the past several months, and a recent episode of the Freakonomics podcast does a great job of summarizing a lot of ideas into a one-hour show Short version random stuff happens, and that makes prediction hard Really hard Also so called experts are usually wrong- and the more adamant and certain an expert is, the more likely they are to be wrong The Freakonomics Folly of Prediction episode does a great job of distilling a lot of research into an easily digestible audio format Note If you aren t familiar with Freakonomics, you should be- they make economics entertaining, challenging, and informative I ve read both books and am a regular listener to the podcast Unrelated to this post, the recent episode on quitting was another great one Some of what they bring up in the predictions episode of Freakonomics podcast is covered in much greater detail elsewhere, including a couple of books I listened to earlier this year The predictions podcast briefly discusses prediction markets, which seem much more promising than traditional pundit-centric pontification style prediction Note I listened to both as audiobooks, Audible is not perfect, but for the commuter and frequent traveler they are great I ve also heard audiobooks are great for people who exercise , but people who do things like that clearly have too much to live for and are just punishing themselves for it The first book I listened to was The Drunkard s Walk by Leonard Mlodinow Here s an excerpt from Stephen Hawking's Amazon Review of The Drunkard's Walk In The Drunkard s Walk Leonard Mlodinow provides readers with a wonderfully readable guide to how the mathematical laws of randomness affect our lives With insight he shows how the hallmarks of chance are apparent in the course of events all around us The Drunkard s Walk covers a variety of probability topics, from the significance of randomness to some history of the study of probability, and uses many illustrative anecdotes including a look a the Monty Hall problem and others where common sense appears to let us down The second book was Future Babble by Dan Gardner From the author s site Future Babble, a critical look at expert predictions and the psychology that explains why people believe them even though they consistently fail Future Babble is focused on prediction, but as random events and probabilities are challenges to prediction this book does have some content which overlaps with The Drunkard s Walk Both books are overly negative at times, and thoroughly dismissive of many experts , but together they make a compelling case for a healthy dose of skepticism These works do highlight issues of bias and fallacies which lead us into making or accepting seemingly logical but wrong predictions, being aware of these biases and fallacies can help us identify and avoid them One of the recurring lessons of all of these works is that the more confident and adamant someone is about their predictions, the less likely they are to be correct, and the more likely they are to deny when they have been proven wrong A lot of this goes back to Philip Tetlock s works including Expert Political Judgment, a skewering of political pundits ability to predict much of anything Tetlock often speaks of hedgehogs and foxes , a reference to the phrase Four-toed Hedgehog, Atelerix albiventris, 3 weeks old, in front of white background The fox knows many things, but the hedgehog knows one big thing Red fox 4 years - Vulpes vulpes from the ancient Greek poet Archilochus The hedgehogs are those with an ideology or single big idea, they hold onto the idea and rationalize around it Hedgehogs tend to use absolute words and are very confident in their predictions- hide from these people television, especially cable news and talk radio are full of them Foxes, by comparison see much more variability in the world and are prone to use what we often derisively call weasel words such as probably or likely Foxes are also much more likely to admit they were wrong when history proves their predictions in error I am not saying that nothing can be predicted, and I m not tossing stones at my risk and metrics friends- I am just suggesting that we pay attention to the realities of the world And the reality is that random events happen and have a large impact on our lives, and that some things which appear random are not And that means predictions are often hard, if not impossible I ll leave you with a final quote, this one from the great philosopher Yogi Berra It s tough to make predictions, especially about the future Jack http://www.secuobs.com/revue/news/339391.shtmlhttp://www.secuobs.com/revue/news/339391.shtml Secuobs.com : 2011-09-16 14:13:03 - Uncommon Sense Security - As long as I m not filling your RSS feeds, maybe you want to wander over to the Fabius Maximus blog and read a series of guest posts by Marcus Ranum Marcus topic for this series is Cyberwar a Whole New Quagmire It is a good read, insightful and occasionally inciteful it is Mr Ranum after all Three parts have been posted so far Part 1 The Pentagon Cyberstrategy Part 2 Do as I say, not as I do shall be the whole of the law Part 3 Conflating threats OBTW, obligatory disclaimer Yes, Marcus is now a co-worker Not relevant to this post, but I like to pretend to be ethical and open Jack http://www.secuobs.com/revue/news/329312.shtmlhttp://www.secuobs.com/revue/news/329312.shtml Secuobs.com : 2011-09-16 01:41:57 - Uncommon Sense Security - In case is slipped off your ever-growing to-do list, a gentle reminder that there are five unendorsed candidates for the ISC 2 Board of Directors I happen to think it would be a great idea of any CISSP or other ISC 2 member in good standing endorsed all of these fine folks The deadline is soon Remember, endorsement just helps get them on the ballot, the election is coming later this fall A refresher Tadd Axon email isc2bodpetition taddaorg website https sitesgooglecom a taddaorg isc2petition Seth Hardy email shardy asymptoticca website http sethforisc2boardorg Javed Ikbal email javed bodelectioncom website http bodelectioncom Rolf Moulton email rolfmoulton boardcandidatecom website http wwwboardcandidatecom Wim Remes email wim remes-itbe website http blogremes-itbe petitionhtml Thanks Jack http://www.secuobs.com/revue/news/329222.shtmlhttp://www.secuobs.com/revue/news/329222.shtml Secuobs.com : 2011-09-05 21:24:07 - Uncommon Sense Security - It is over The dinosaurs may not know it yet, but the Social Media Revolution is over, and many of the dinosaurs aka Social Media Experts, Gurus, etc apparently didn t get the message That may be because there was no comet, no dust cloud, no global cooling The revolution suffered the most humiliating defeat possible- it won, and it became mundane Fotolia_17580904_XS The experts are still out there, screaming about how you should and should not use social media They are increasingly doing this alone, or in little clusters here and there, and many think SXSWi is still about them Every new platform sparks a new round of hue and cry and fewer people listen with each iteration Their problem is hundreds of millions of people have discovered everything from Flickr to Facebook to Google and Twitter- then they figured out how they worked for them, and are using them the way they want That means when the experts tell others how to use Twitter or whatever they are ignoring the way many people already use the services There is no longer a need for the social media person at a company who is The Voice of the organization on social media, and there is a rapidly diminishing need for experts or consultants in this area A lot of these folks really need to get to work on their great American novels and become baristas, or find some other way to be contributing members of society Their very special skills are becoming commonplace, and they need to shut up and move onFotolia_30196881_XS To be sure, there is still a need for the official voice of the organization, and there is certainly a need for policies covering what is and is not appropriate use of social media in the workplace, and as it relates to work But instead of a single voice, smart organizations are letting employees participate in social media to amplify their message This doesn t mean turning everyone into company shills, but it does mean that it is good to show the world that your organization is full of competent and engaged people If social media is simply a part of many people s lives it should also simply be part of your organization Someone has to be responsible for the official messaging, managing groups, monitoring policy compliance and related administrative details, but that s not magic, that s management But Jack, what about the special audio and video skills needed for podcasts and videocasts I hate to break it to you, but those were rarely very social in the past, and it is increasingly rare now Some developed real communities and continue to engage and interact Not many, though There were and still are plenty of what I ll call engaged fans , but that has been true of any media Few people or organizations really took advantage of the social potential of podcasting and videocasting As far as the skills required, anyone can handle the basics, but if you want high quality content, you will need the right people These would be Audio Video pros though, not social media experts There is also an ongoing need for people to champion security and privacy issues in social media We are a long way from solving those problems- but the Experts and Gurus rarely addressed these issues anyway, that has always been up to those interested in privacy and security There are people doing interesting things in social media , but they are really just doing things like advertising, community relations, marketing, customer support, and PR in a modern context So let s call it what it is And wait for all the Social Media Gurus to serve us our coffee Jack http://www.secuobs.com/revue/news/327154.shtmlhttp://www.secuobs.com/revue/news/327154.shtml Secuobs.com : 2011-07-25 04:34:46 - Uncommon Sense Security - You have heard it ad nauseum, if we as security practitioners want to be taken seriously, we need to understand the businesses we support and speak to the values of the business, blah, blah, blah And that, my friends, is bullshit Still steaming in the pasture on a spring morning bullshit Bullshit Want to move your objectives forward You need to understand greed and fear, the greed and fear of the people who control the resources Trying to understand your organization s business only works if the leaders of your org understand them- and they are not bound and or blinded by monthly quarterly objectives Don t believe me Take a look at the banking industry, or the US auto industry, or whatever area you know about People who understood the business saw the train wrecks coming, and they tried to warn people about them- but they were ignored or worse Understanding the business can only lead to frustration because the people running the business either don t understand the business but they have MBAs or they aren t allowed to act in the long term interests of the business If you want to improve security in your organization, you need to understand how your organization works, not how it should work You need to know what feeds it and what scares it Sadly, that may have no relation to the business your organization is in Yes, I know that sounds a little bitter and depressing- but it really is OK The system is just broken enough to work just like infosec Jack http://www.secuobs.com/revue/news/318993.shtmlhttp://www.secuobs.com/revue/news/318993.shtml Secuobs.com : 2011-06-21 05:44:36 - Uncommon Sense Security - I ve recently dined at a couple of places which won t make it to my other blog They weren t bad, but they fell short of being blog-worthy One of the things that they had in common was that I dined at the bar, and I had to ask the bartenders for additional drinks when confronted with the horror of empty glasses Empty scotch glass An empty glass in front of a patron at a bar is an opportunity for the bartender, not just to sell another drink, but to make small talk, offer a glass of water, anything to improve the drunkard patron s experience The mercenary reasons are for both the additional sales opportunity and for the shot at improving the tip A more strategic reason is to build a relationship, and improve the chances of repeat business Another, more human reason is that happy customers are nicer to be around and make the job better It is an opportunity to engage the customer when there is an obvious invitation for interaction, a shot at satisfying the customer and maybe even making a buck at the same time You re probably wondering where I m headed with this, and if I may have been over-served before writing, but fear not, there is a point coming A lot of folks aren t comfortable starting conversations, so we don t do it I get it, it can be hard, and awkward One way to make it easier is to look for our own empty glass moments, those opportunities where there is a void to be filled They may not be as obvious as the empty glass, but look for them, and take advantage of them They may be as direct as someone floating a question in a group, or as subtle as a prolonged silence, but if you look for the opportunities you will probably find some Instead of selling drinks, we can sell ideas, or simply make connections and make people aware that we are paying attention so that it is easier for us when we really do need their attention That s it, deep thoughts from the end of the bar Cheers Jack http://www.secuobs.com/revue/news/312499.shtmlhttp://www.secuobs.com/revue/news/312499.shtml Secuobs.com : 2011-06-14 15:47:53 - Uncommon Sense Security - I am very excited to announce that I am joining Tenable Network Security in the role of product manager I am also saddened that this means I am leaving my friends and my fantastic position at Astaro This was obviously not an easy decision, and it was made more difficult by the recent announcement of Astaro s planned acquisition by Sophos This move is, however, unrelated to the acquisition- as a matter of fact I have been looking forward to the expanded opportunities available in the combined organization I was especially looking forward to working with the Naked Security and Sophos Labs teams BUT When offered an opportunity to join the team at Tenable, I had to explore the possibilities- and the conversations quickly led to an offer I could not pass up From the team of people I will be working with, to the product line including Nessus , and the challenge of the role I will be assuming, the reasons to make the change have been overwhelming My time at Astaro has been great I am thankful for all of the opportunities I have had while there, and for Astaro s support of many community projects and events It has been an honor and an pleasure to work with friends and co-workers at Astaro, and I will miss working with them- and I wish them all the best I also still believe in Astaro products, that s why one of the first things I have done in converting my office is set up an Astaro gateway running the free, 50-IP home-use license As far as what this means for my involvement in BSides and my various other activities- I ll still be as engaged as possible, and Tenable supports my efforts I do expect to spend less time on the road in my new position, so I may not attend quite as many events in person And yes, of course I will be in Las Vegas for the annual week of madness in August for BSides Las Vegas and DEFCON By the way, if you are looking for your next great career opportunity I have leads for you Astaro, Sophos, and Tenable all have positions open, see their careers pages for details http wwwtenablecom careers http wwwsophoscom companyinfo careers http wwwastarocom company career country All Jack http://www.secuobs.com/revue/news/311059.shtmlhttp://www.secuobs.com/revue/news/311059.shtml Secuobs.com : 2011-05-29 19:02:14 - Uncommon Sense Security - Take a few minutes and go read Gene Spafford s US Memorial Day Thoughts on Cyber War This is not the typical OMFG THE SKY IS FALLING ONLY THE GOVERNMENT AND MILITARY CONTRACTORS CAN SAVE US FROM THINGS THEY CAN T DEFEND THEMSELVES AGAINST 11 1 bullshit we regularly see, nor is it the oft-repeated flippant dismissal of the existence of whatever it is people mean by cyber war It is a reasoned and balanced view of the current situation, and a look at where we seem to be headed- from the perspective of Dr Spafford His observations about the state of technology education may be the scariest thing about the situation, and if unchecked will likely be more devastating than any attack we may suffer Jack http://www.secuobs.com/revue/news/307854.shtmlhttp://www.secuobs.com/revue/news/307854.shtml Secuobs.com : 2011-05-23 19:56:04 - Uncommon Sense Security - A recent paper with the sexy title Understanding and Managing Risk in Security Systems for the DOE Nuclear Weapons Complex and subsequent coverage of it wound some people up over its attack on probabilistic risk analysis PRA You can download a free copy of the PDF at http wwwnapedu catalogphp record_id 13108 It is worth a read, it is only 30 pages, and the meat is really only a few pages Read the preface on page IX, then the content from pages 1-5 and you can skip the rest unless you really want the tedium of government documentary fluff Note this is the public, sanitized version- there is a longer, and understandably classified version Here s the quote that seems to trigger the reaction The committee concluded that the solution to balancing cost, security, and operations at facilities in the nuclear weapons complex is not to assess security risks more quantitatively or more precisely This is primarily because there is no comprehensive analytical basis for defining the attack strategies that a malicious, creative, and deliberate adversary might employ or the probabilities associated with them I don t have a problem with this, I think it is dead on Part of my frustration with the risk analysis crowd is many of them insist on using made-up or otherwise useless metrics for calculating their probabilities That isn t the issue here, though- In this case, PRA fails for the the reason stated above there is no comprehensive analytical basis for defining the attack strategies that a malicious, creative, and deliberate adversary might employ This is especially true in the context of this document- physical threats to the US nuclear weapons arsenal The consequences are simply too high to not just do the absolute best job possible That is not true for what we deal with in information security, no matter what the cyberhypemeisters tell us Things like acceptable level of compromise aren t acceptable when we re talking about nuclear weapons Small incidents with nukes are not small Tangent say what you will about his politics, birth certificate, whatever- I am relieved the hear a president who doesn t say nuculer Now, if you want to put together some good metrics, reliable and repeatable ones, and use them for predictive modeling in environments where some margin of error is acceptable as in most of what we do in InfoSec , we can work on that Just don t tell me that those good metrics are common in our field, and never forget the underlying truth that an attacker with adequate resources will ALWAYS defeat us- and we have something to work on Even the authors of this paper see the value in PRA, just not as an absolute Immediately following the above quote is this comment However, using structured thinking processes and techniques to characterize security risk could improve NNSA s understanding of security vulnerabilities and guide more effective resource allocation Brian Snow talked about this paper on an episode of Risky Business last month if you want to hear his perspectives Brian was one of the authors of the paper My takeaway We have to determine of the tools we use are truly appropriate for task at hand- and if we are using those tools properly With good metrics and measurements we can gain insight from risk analysis Conversely, with crap statistics, improperly applied, we can waste an astounding amount of time and money No hype, no drama, just a little common sense Note Some days you question the paths you have taken in life, and where they have led you One such day night, actually I had just returned to my room from Frankie s Tiki Room in Las Vegas I was preparing for a brief slumber when I noticed the two documents on my desk- and asked myself how the expletive I got to a place in life where this makes sense at least to me IMAG0225 Jack http://www.secuobs.com/revue/news/306619.shtmlhttp://www.secuobs.com/revue/news/306619.shtml Secuobs.com : 2011-05-07 05:13:04 - Uncommon Sense Security - This is about my employer It is an unusually corporate market-y sounding kind of post for me Feel free to skip this one if you aren t interested, I will not be offended It is kinda big news for some of us The nice folks who pay me to do all kinds of cool things, Astaro, have agreed to be purchased by Sophos There are a lot of questions that I have seen and heard, and some utter nonsense has been said BUT FIRST I am just an employee of Astaro I am not a founder, owner, or senior management team member What follows are my personal observations and opinions I have no inside knowledge to share, and even if I did, I couldn t The official press release and FAQ have the basic info There are several blog posts and articles about it My new colleague Graham Cluley over at Sophos Naked Security Blog did a good summary post with links to several other articles and posts Mike Rothman s analysis over at Securosis is a good one I m sure you can find more You can also find some that are off the mark If you read something that doesn t make sense, please apply a little skepticism If you read this blog, that should be easy for you I have received several questions, and I will UNOFFICIALLY answer them based on my understanding of the situation Q What about the free home version of Astaro A Don t worry it is not going away Astaro s management team will continue to manage the Astaro line as part of Sophos The home version is important to them, and to most of us in the Astaro team It is a key part of Astaro s success, and a key part of building the Astaro community It would be silly to discontinue it Q You say that now, but will it change as the product evolves A I am sure it will, and have no idea what that will look like If I were psychic, I d be a gambler, not a packet monkey But, see previous answer Q What about X Open Source project A Open Source provides great value to Astaro, and Astaro provides support back to Open Source projects That will continue And, any Open Source code will stay Open- as the licenses require Q What about BSides and other community sponsorships and support A Short term- nothing changes The awesome Astaro PR and Marketing team is committed to building communities It is a differentiator for Astaro, and it is the right thing to do Long term- it is a financial decision, as long as it makes sense, I expect it to continue And I expect that to make sense for a long time Now, a little strategy talk This creates a combined company with a broad diversity of security and management products There is not a lot of overlap in product lines, so there is not much redundancy to reconcile, there will just be the challenges of integration where appropriate On the Astaro gateway side, that s pretty easy- it is a modular platform which has allowed adding and modifying components and features as the product and customer needs have evolved Some have said that the endpoint and network security channel partners are different, and the buyers are different, and this will cause difficulty for the combined company While that may be true in limited cases, most likely in larger environments, my experience brings me to quite the opposite conclusion I talk to our partners, as well as other VARs, MSPs and resellers regularly most I speak with want a complete and diverse product line to offer their customers and prospects Likewise, the pressures of the economy and the never-ending push for increased efficiency are driving the consumer to look for efficiencies and cost savings This pressure on those in the IT trenches is why the UTM Unified Threat Management segment is gaining traction in ever larger environments- simplified, unified, cost-efficient products conserve scarce resources It only makes sense that a properly integrated, quality suite of products will be attractive to businesses And even in the cases where the desktop team doesn t play nice with the firewall guys or web filtering, or whatever , I have a couple of thoughts It is about the company s best interests, the pressure is on, and cooperation is happening, or will happen With the current teams, or those who replace them More importantly, the budget authority is frequently above these levels, and good managers understand the value of efficiency Things will change There will be opportunities, there will be missteps, and there will be successes I believe this is a good move, but that is speculation it is now up to us in the new, combined company to prove it And finally for now if you have questions, comments, or concerns- let us know If you do not know who to ask in the Astaro team, or at Sophos, ask me Drop a note to jdaniel at astaro dot com I am on the road a lot, especially for the next month, so my responses may not be immediate, but ask me, and I will answer as soon as I can, or I will connect you with the answer Jack http://www.secuobs.com/revue/news/303221.shtmlhttp://www.secuobs.com/revue/news/303221.shtml Secuobs.com : 2011-05-04 12:12:01 - Uncommon Sense Security - Now that I ve had over a week to read, re-read, digest, etc I told you so For all the scary, uber-sophisticated attacks we run off to conferences to see, and all the amazing feats of exploitation we hear about, real-world compromises are most often exploiting basic failures in security If you are a regular reader of the Verizon Data Breach Investigations Report you will know that the DBIR has again confirmed our failure to secure the basics That is a pretty gross oversimplification, but it is true This year s report reflects a pretty significant shift from the enterprise to SMB, and has some interesting data One thing that many have latched on to is the rise in the number of breaches, but significant drop in the number of records breached in 2010 if Verizon s numbers reflect the world at large we will see a stunning reversal in the 2011 data This anomaly doesn t alter the value of DBIR data, but it highlights the difficulties in making pronouncements based on a single report Before we go on, some background information will be useful The Verizon report includes both Verizon and US Secret Service data, and while it represents hundreds of cases the experience is far from universal There is a lot of selection bias at play, and that narrows the scope of the results See my recent How to misinterpret the Verizon DBIR post for more thoughts on interpreting the report As far as the substance of the report, there are a handful of things I find insightful, or at least interesting The internal threat is real Just not a big deal compared to outsiders kicking our butts And, the insider take tends to be smaller than external attackers 83pourcents of victims were targets of opportunity Too many people are still making it easy Speaking of 92pourcents of attacks were not highly difficult per Verizon Even if we argue about the ones Verizon labels moderate , there are still 43pourcents of attacks in the stupid easy category OK, technically speaking, Verizon refers to 6pourcents with a difficulty of none and 37pourcents low 89pourcents subject to PCI-DSS had not even achieved compliance with this fraudulently imposed sub-minimum sub-standard Sorry, I may have let a little editorializing slip in there Continuing trends included Organizations not knowing where their stuff is and how it can be accessed the unknown unknowns appear to be improving, but this is still a big problem Organizations do not log everything they should, but it is OK, because they don t look at the logs anyway At least not until it is too late And how do they know it is too late Again, third parties are much more likely to discover a breach than the organizations themselves There are a lot of ATM, gas station, and other POS Point of Sale systems attacks in this year s report, largely split into two categories physical compromise of ATM and gas station card readers, and exploitation of remote access deficiencies in POS systems While the remote access attacks fit in with our traditional idea of criminals attacking computer systems, the physical installation of skimmers on ATMs and gas pumps does not It is hard to look cyber while standing at the location of compromise while carrying hardware and wearing a toolbelt I like this report more each year BUT, there are things which make me nuts If I could have two things from the DBIR team they would be More raw data Give me the numbers I understand that too much detail could undermine the anonymization, but I want more raw data Yes, I m one of those folks who generally believes good data visualization means a readable font in the spreadsheet An adult version of the report Take out the redundant high-point popups, they re a distraction to those of us who really read the report Pull out some of the infographics, too see above I ll read the whole report, with highlighter and pen in hand, more than once, and decide what is important to me That s enough from me- there are already more than enough summaries of the DBIR out there Jack http://www.secuobs.com/revue/news/302509.shtmlhttp://www.secuobs.com/revue/news/302509.shtml Secuobs.com : 2011-05-02 11:45:54 - Uncommon Sense Security - No hype here No cloud will change everything nonsense it won t No cloud is nothing new nor cloud is completely new nonsense, either cloud is perfect for a wedding- Something Old, Something New, Something Borrowed, Something Blue, and a Silver Sixpence in Her Shoe But you ll need more than sixpence If you ve been keeping up with the smart cloud folks, you probably won t find anything exciting here- but below are some good general resources Properly deployed for appropriate purposes, cloud computing can be fantastic I have moved most of my lab systems to a cloud environment and it has provided a huge improvement in my ability to test systems and deliver demonstrations My employer uses cloud systems to deliver content and services for partners and customers more effectively that we could with internal resources But, cloud computing is not for everyone, of for everything You just need to research, plan, and migrate wisely There are a handful of very good cloud computing security documents out there, here are ones I recommend some are pretty big PDFs Start with the NIST definitions doc, it was only two pages, but has been bloated to seven without adding value Just read the last two pages, ignore the rest It is not security specific , but is sets a common terminology for the rest http csrcnistgov publications drafts 800-145 Draft-SP-800-145_cloud-definitionpdf My new favorite cloud security reference is from the Australian Defence yeah, they spell it funny over there Signals Directorate their Cloud Computing Security Considerations is great resource, and a great conversation starter for those considering a move to cloud computing It is 19 pages and an easy read, too If you read only one, read this And share it http wwwdsdgovau publications Cloud_Computing_Security_Considerationspdf For more meaty discussions of cloud security, it is hard to beat the documents recommended for those preparing to take the Cloud Security Alliance CCSK Certificate of Cloud Computing Knowledge exam CSA s own Security Guidance for Critical Areas of Focus in Cloud Computing V21 is not a light read, and is enterprise focused, but has a lot of good information The other study document is the ENISA Cloud Computing Risk Assessment It is also not a quick read, but has more small- to mid-sized business focus reflecting its European origin Speaking of CCSK, it is an interesting certification I ve recently passed the exam, and heartily recommend the study material- but the certification is probably of limited value to most people until cloud is better understood As you would expect, CSA has an enormous amount of information on their site, covering a myriad of cloud concepts A couple more references for those of you who want a broader understanding NIST also has a Cloud Computing Reference Architecture which needs some help in the area of readability, but is a good resource, especially for the discussion of cloud computing roles OpenCrowd s Cloud Taxonomy is useful for help in categorizing cloud products and services and for understanding the categories This is by no means a complete, or even exhaustive list although I do feel somewhat exhausted it is just a pile of stuff that I hope will be helpful to those considering a move to cloud computing or to those already in the clouds, but afraid of heights Jack http://www.secuobs.com/revue/news/301961.shtmlhttp://www.secuobs.com/revue/news/301961.shtml Secuobs.com : 2011-04-25 17:43:27 - Uncommon Sense Security - Actually, a post on the topic described in the title would be pretty much redundant, because a lot of people seem to have a natural talent for misinterpreting information And the Verizon Data Breach Investigations Report is one that really gets some bizarre spins put on it and that s before the sales weasels get their paws on it and start trying to scare prospects into buying stuff In case you ve been under a rock, Verizon released their 2011 DBIR last week Get your own copy from the Verizon Security Blog Read it, there s good stuff in there Keep your filters up as you read it this is good, and it is data few others share- but not perfect, and the experiences are not universal and Verizon is candid about this For practical advice on reading the report and many others , I will offer the following The sample sets are not the universal experience Informative, but not universal Correlation is not causation Never was, still isn t The report provides data on both the number of breaches and the number of records lost They are very different, and should not be confused The report also lists both raw numbers and percentages These sometimes appear to generate conflicting information And really provide for some apparently conflicting trends Combine misunderstanding of the difference between number of breaches and number of records lost with a misunderstanding of percentages versus raw numbers and you are ready to be interviewed on the DBIR Really, go read it for yourself It is good- just be wary of what others tell you it says Jack http://www.secuobs.com/revue/news/300608.shtmlhttp://www.secuobs.com/revue/news/300608.shtml Secuobs.com : 2011-04-02 00:39:31 - Uncommon Sense Security - I need to head off a little confusion, most folks know this, but here goes I am the Community Development Manager for Astaro It is a great job, with a great company, and I m eager to assist people with the products and the company any way I can BUT, I am not in the sales, support, or development teams- nor can I snap my fingers and make things happen believe me, I ve tried Unless I state otherwise in a conversation, presentation, whatever- I do not speak for Astaro, its founders, employees, etc If you want to contact me about Astaro, I want to hear from you and will do whatever I can to answer questions or assist you please drop me a line at jdaniel at astarocom, or hit me up on Twitter Astaro_JD I am one of the co-founders of Security B-Sides, and am one of the core group of people who help keep it rolling and growing I also help run some of the events As I have said many times, the B-Sides phenomenon is amazing, the community is beyond amazing, and I am both proud and humbled to be a part of it BUT, I am not B-Sides, I m just one of the team Unless I state otherwise, I do not speak for B-Sides, and any opinions expressed are my own I specifically maintain some distance from some things in the B-Sides world, generally involving specific sponsorship and financial matters This is because I work for a sponsor and do not want any appearance of conflict I am eager to answer questions about B-Sides, help organizers where I can, connect people- whatever I can to to help sustain Security B-Sides To contact me about B-Sides, please send a note to jack at securitybsidesorg For general information or to reach the core team please send messages to info at securitybsidesorg Note I have considered a separate blog for B-Sides commentary and updates, but instead will continue to post B-Sides content here- but out of deference for those who may not be interested, I will make sure the title of all B-Sides posts begins with B-Sides so that you can skip them if you are so inclined If you want to contact me about anything other than B-Sides or Astaro, and don t know where to turn, I m on Twitter jack_daniel or you can email me at jdaniel at voodooelectronicscom Now, back to not blogging enough Except I really need to do that blog on Frankie s Tiki Room over on the other blog Jack http://www.secuobs.com/revue/news/295797.shtmlhttp://www.secuobs.com/revue/news/295797.shtml Secuobs.com : 2011-03-19 03:32:40 - Uncommon Sense Security - In case you hadn t noticed, I like Animoto This is what you missed if you weren t there The music is from Lisa Marshall, she entertained us on Hackers on a Duck II and played all over Austin during SXSW Jack http://www.secuobs.com/revue/news/292752.shtmlhttp://www.secuobs.com/revue/news/292752.shtml Secuobs.com : 2011-03-19 02:27:34 - Uncommon Sense Security - Ever heard that from someone It doesn t really matter what this is, this is always a critical component of your job which you are foolishly overlooking Curious, really It turns out that many people are actually too busy doing their jobs to be bothered with doing what other people think their jobs are If you say this to someone, or to an audience, be prepared to be shut down I am not saying never do it, but you need to consider the risks of alienating your audience Sometimes people need a wake up call, but know that this, or similar statements, can lose people- it gives them an excuse to ignore you Flip it over If I were in your situation, even with everything you have to deal with, I would be very concerned about THIS, and making plans for it, because There, make the point, avoid getting rotten fruit thrown Jack http://www.secuobs.com/revue/news/292748.shtmlhttp://www.secuobs.com/revue/news/292748.shtml Secuobs.com : 2011-03-19 02:27:34 - Uncommon Sense Security - It looks like the security biz is doing OK At Security BSides Austin companies were trying to fill several positions- so I thought I would list them here Not turning into a job board, this is not an endorsement of anyone although companies involved in BSides are pretty cool in my book Trustwave junior and senior app pentesters needed AlientVault Pre- and Post-sales tech NetWitness - SE and services positions Atsec Software evaluators and seasoned pentesters AlertLogic Security Analysts and Developers Denim Group All kinds of cool stuff No links, Jack You could look at the jobs board pics on the BSides Austin Flickr set Or maybe as the Google, that dude knows everything and some of it is even correct Oh, yeah BSides Austin rocked It was a BSides, in Austin, what did you expect Jack http://www.secuobs.com/revue/news/292747.shtmlhttp://www.secuobs.com/revue/news/292747.shtml Secuobs.com : 2011-03-03 11:31:10 - Uncommon Sense Security - facade01 There was this Really Big Security Conference a couple of weeks ago Actually, it appears that there were a few Really Big Security Conferences a couple of weeks ago based on the bewildering array of opinions about it them I liked Zach s take on it, but some folks really disagreed with his sentiments I think this was my fourth of these things, and I was more depressed than usual after the event There appeared to be more good talks this year, but without a reduction in the number of obvious sales pitches or old-news talks But everyone knows where I go for content and conversation, so let s skip that part While others saw it differently, to me the vendor area was ugly People I used to respect were screaming not-quite-truths over PA systems, vendors were giving away cars while screaming errors-of-omission, booth babes including at the NSA booth , all of the usual stuff, only more and louder than normal What really depresses me is not just the screaming lies, but it was who was skirting and subverting the truth Brilliant people, respected in the industry, reduced to sleight of mouth to pitch their wares Another things which disgusts me is attacking competitors There is a big difference between promoting market differentiators and trash talk, a lot of sales folks never learn this No, I will not name names- I feel guilty for not calling them out publicly, but at least one was a direct competitor and there is no way to call them out professionally But that s sales, build a pretty façade and hope people like it Unfortunately, they can be problematic in architecture they require a lot of support and add weight that can actually detract from the structural integrity of the building if not planned into the design The façade of perfection and overstatement of features in security systems is not built in to the infrastructure As with some inappropriately adorned buildings, the hype usually just adds a burden to a otherwise solid products facade02 Let s assume the vaguely-resembles-the-truth sales pitch delivers a customer and closes a deal, what happens when they discover the actually-is-the-truth about the product Disgruntled customer, high support costs, low customer retention rates Here s my crazy idea sell what you are selling based on its strengths and key differentiators Of course you will promote it positively, but don t lie about it, and do not trash the competition Sales is not athletics, but I would really like to see more of the attitude good athletes have- the way to win is to win, not to make others lose Note No, I m not new at this, nor am I naïve I have decades of auto industry experience, and I assure you that as scammers, liars and frauds the security industry are a bunch of amateurs That doesn t mean I have to be content with the crap Jack http://www.secuobs.com/revue/news/289079.shtmlhttp://www.secuobs.com/revue/news/289079.shtml Secuobs.com : 2011-02-28 11:53:14 - Uncommon Sense Security - As is often the case with quick blog posts, a bit of reflection before posting could have added some clarity to my last one, The true cost of non-compliance is ZERO As far as things going wrong , the trigger for pushing the cost above zero may not simply be suffering a breach , but is more likely suffering an incident which is so bad we have to deal with it Again, not a happy thought, but one we must accept if we want to make progress I am tempted to opine that this is especially true in small to mid-sized organizations, but I am repeatedly reminded that many large enterprises are just really big small businesses, so I ll refrain from that Andy Ellis pointed out that there are costs, specifically internal reputational cost, which I missed Andy is smart like that that means hiring and keeping good people will be a problem, as will other things that can accompany morale issues They are hard to measure though, and are often overlooked until they reach a crisis stage- which I guess would qualify as something going wrong Jack http://www.secuobs.com/revue/news/288154.shtmlhttp://www.secuobs.com/revue/news/288154.shtml Secuobs.com : 2011-02-27 20:04:14 - Uncommon Sense Security - There has been lots of talk about the cost of compliance, and lately about the cost of non-compliance Most of the talk conveniently ignores this fact The cost of non-compliance is ZERO if nothing goes wrong If you don t think that the people making decisions on budgets should and do consider this fact, you are probably both more frustrated and less effective than you need to be I hear you saying but Jack, things always go wrong That is both true, and not true In the security world mostly deal with things which have gone wrong, and that s what we see The stuff humming along nicely or at least not horribly is usually under our radar The things most likely to go wrong are Getting caught This likelihood ranges from probable for many under PCI to indistinguishable from zero for many others laws and or regulations Note you need to have former Assistant DAs explain lack of funding for regulatory enforcement to you when you try to convince them to secure their law practices to really enjoy this topic Or so I ve heard Suffering a breach This still leaves open the question of whether being complaint would have prevented the breach Compliant does not guarantee secure More importantly, this does not address whether compliance would have provided the most effective preventative both from cost and logistic perspectives Jack http://www.secuobs.com/revue/news/288056.shtmlhttp://www.secuobs.com/revue/news/288056.shtml Secuobs.com : 2011-02-22 04:10:54 - Uncommon Sense Security - Note this is a cross-post from my travel liver damage blog I also posted here because of the significance of the topic to the InfoSec community Really It looks like the future of the Tonga Room involves a move to a new location What is the Tonga Room The Tonga Room is one of those special places which is so tacky that it comes out the other side and has class again Follow the link above to my last post on it for more details Rumor wink, wink is that the Tonga has been sold name, fixtures, even employees- as a whole, to be moved to an as yet unknown location Details are sketchy, but my sources are impeccable always trust people in Hawaiian shirts Expect the new Tonga in a new venue, but I don t know when The month of April is when something happens, but as of yet I do not know if that is closing, reopening, or what There are more questions than answers at this time Will it still have the pontoon tiki boat stage Will the complete set of fixtures be part of the resurrected Tonga- including the masts ,railings, and rigging from the Forrester Will the loyal employees be treated well under the terms of the sale and under the new owners Will the Mai Tais still kick your butt down the hill Will there still be a hill to have said butts dragged up and kicked down BlogIMG_0853 For the past few years I have made a pilgrimage to the Tonga Room at the beginning and often middle and end of the week of the RSA conference and now the week of Security BSides San Francisco, too blogIMG_0858 This year we spread the word a bit more and ended up with TongaCon, which kicked serious butt There were probably about 35-40 people who rolled through, more paper umbrellas than I could count, a live RickRolling of the bar by the band FYI, Rick Astley covers should always be done by lounge bands on a pontoon boat There may have even been unfortunate events involving an unnamed journalist s bald head and someone else s beard, and possibly a how many umbrellas can we stick in Jack s beard contest You will have to find those pictures on your own BlogIMG_0853 More TongaCon photos here I am asking San Francisco locals and everyone else interested to keep me posted on the future of the Tonga Room, and I ll share the info Jack http://www.secuobs.com/revue/news/286761.shtmlhttp://www.secuobs.com/revue/news/286761.shtml Secuobs.com : 2011-02-19 02:58:59 - Uncommon Sense Security - Mike and Lee over at Information Security Leaders have kicked off a new survey on the value of certifications in your information security career They put a lot of effort into their studies, and always share the results- so if you have 5-10 minutes take a look at the survey Take the survey from here http wwwinfosecleaderscom research 2011-survey-the-value-of-certifications Jack http://www.secuobs.com/revue/news/286360.shtmlhttp://www.secuobs.com/revue/news/286360.shtml Secuobs.com : 2011-02-14 13:28:31 - Uncommon Sense Security - In my last post I mentioned my observation about Shmoocon Labs success at emulating an enterprise network, including some attributes not planned- specifically some inefficiencies, complexities, and balkanization of roles Note as I said in the last post, this is not a shot at Shmoocon Labs, I think the Labs are fantastic- I m just extending the learning experience beyond the stated curriculum Modern networks, even fairly small ones, are often more complex than they need to be The people who manage the networks have limited areas of expertise and generally work within their knowledge areas- this tends to mean a bias towards specific products, services, and techniques These are expected issues, no one can master all aspects of network or system administration we all well, most of us do the best we can with the resources available and make stuff work I want to reiterate that point We do what we can, with what we have, and make the best of it That does mean that the results aren t always pretty- but as is also true of my old pickup truck, we get the job done iStock_000013159070XSmall After years of doing the best we can with what we have in our environments, the cumulative result is frequently downright ugly- especially when seen through the eyes of outsiders Good thing we aren t judgmental when we enter new environments I am not suggesting we excuse or ignore the train wrecks we see in our daily InfoSec grind, they are usually easy to spot and should be called out It is our job to identify and try to resolve problems trainwreck If, however, we fail to consider how the situation evolved into its current state or we forget that no one set out to make a train wreck, we are likely to be ignored- or we will repeat the same mistakes that created the old mess although the technology industry has an amazing aptitude for making the same old mistakes in new and exciting ways- but this isn t a post on Cloud computing, so we won t go there Jack http://www.secuobs.com/revue/news/285057.shtmlhttp://www.secuobs.com/revue/news/285057.shtml Secuobs.com : 2011-02-12 17:30:51 - Uncommon Sense Security - NOTE I debated writing this because some might take it as criticism of Shmoocon or dismiss it as my disappointment in the failure of my plans for participation in the Shmoocon Labs this year It is neither, it was simply a great learning experience- and like most of the best learning experiences, the lessons learned were not on the curriculum Shmoocon was great again this year The Shmoobus was entertaining as always, blizzard and its aftermath on the way down, rolling LAN party and much more on the way home One of the things Shmoocon does every year is build their event network as a training event, Shmoocon Labs, not just to provide connectivity for the con They swoop in, split into teams switching, firewall, wireless, services, visualization, etc and start building a network on Thursday morning and by Friday afternoon they have a mostly functional network serving the needs of the conference and its attendees And by Sunday evening it is all gone The goal is to build a truly enterprise class network, and they pull it off every year The various teams handle specific segments of the network, and while everyone works together, there is a segregation of duties between teams and tasks stay in the appropriate team Everyone on the labs crew is a volunteer, many even pay extra to participate and learn- this means expertise is based on the experience of those participating There are a lot of very experienced network engineers in the Shmoo team, and they do a killer job BUT The network is complex It is done on purpose, as part of the training experience But complex anything is problematic in many ways Complexity brings challenges to configuration, compatibility, manageability security, and more AND Task isolation between teams means that sometimes the most expedient solutions are not applied because the team with primary responsibility for the task or service is given the opportunity to work through the issue and learn BUT These problems aren t really problems at Shmoocon, right They are part of the program, there are very good reasons for intentionally introducing these burdens and challenges And besides, everything works eventually and thus the labs are a success Hey, wait a minute That s not a problem because we do it on purpose, and besides, it works sounds vaguely familiar, doesn t it It turns out that they manage to capture more details of a true Enterprise Network than are in the plans Jack http://www.secuobs.com/revue/news/284798.shtmlhttp://www.secuobs.com/revue/news/284798.shtml Secuobs.com : 2011-02-07 23:24:53 - Uncommon Sense Security - There has been a lot of talk about the echo chamber of information security lately, mostly inside the echo chamber- about how we need to get outside of the echo chamber talktalk48sm image credit Hugh MacLeod s Gaping Void Likewise, there has been a debate about the preaching to the choir aspect of many security conferences This really makes me worry about what kind of churches you people go to iStock_000000942490XSmall If we re going to play with these metaphors- I do not have a problem with the comfort of the echo chamber, nor do I think there is a problem with preaching to the choir We deserve to have fun occasionally, share information with people we know, build the relationships that help us do our jobs and get through our crises, and all the other things we do at gathering places- both physical and virtual The problem is when we never leave these enclaves We need to share what we learn We need to get our teeth kicked in by the realities of the real world, business needs, people s priorities and biases Then retreat to our little cliques, recharge, and repeat Face it, if it was easy, most of us wouldn t do it There is something a bit off about the infosec mind, and that s OK Jack http://www.secuobs.com/revue/news/283520.shtmlhttp://www.secuobs.com/revue/news/283520.shtml Secuobs.com : 2011-01-28 20:40:53 - Uncommon Sense Security - OK, my grand plans for streaming live yesterday didn t work, but a lot of Shmoobus antics were fed to http shmoobustumblrcom , and will be again on Sunday for the trip home shmoobus2 By the way, this is no way to start a road trip Shmoocon Snowpocalypse II As always, thanks to Astaro for sponsoring this mayhem http://www.secuobs.com/revue/news/281479.shtmlhttp://www.secuobs.com/revue/news/281479.shtml Secuobs.com : 2011-01-27 04:31:39 - Uncommon Sense Security - This is a test post, the live feeds will move to http wwwastarocom blog security-perspectives when we work out any issues Thanks again to Astaro for sponsoring the ShmooBus You have better things to do than watch this and be jealous that you aren t with the cool kids on the Shmoobus BUT, if you want to watch anyway, I ll be trying both Qik and Ustream and streaming on whichever works better Widgets for both are below Qik ShmooBus StreamUstream ShmooBus Stream http://www.secuobs.com/revue/news/281086.shtmlhttp://www.secuobs.com/revue/news/281086.shtml Secuobs.com : 2011-01-19 17:51:59 - Uncommon Sense Security - That s right, I m defending FUD Yes, I mean Fear, Uncertainty, and Doubt That kind of FUD And I m here to defend it FUD is under unjust and unreasonable attack Not from people who decry its use, but from some vendors, consultants, analysts, politicians, pundits, and regulators Yes, they use FUD to sell their products, services, ideologies, whatever- but that is only the beginning of the problem Things really turn ugly with the promises these folks make if you will just buy what they are selling they will deliver you from FUD and bestow upon you BCC Bravery, Certainty, and Confidence And Confidence is the right word, because this is a con game If you think buying anything, whether physical or metaphysical, can completely relieve you of fear, uncertainty, and doubt, you are naïve People don t work that way, and we shouldn t Fear, uncertainty, and doubt, at reasonable levels, keep us alive, and alert I am not a proponent of crippling fear any more than I am a fan of naïve confidence, but a little bit of discomfort and uncertainty can drive us to question our preparedness, and rethink the challenges we face And that is healthy If you find yourself confronted by someone whose promises are absolute, you need to be very careful I generally either flee, or mess with their tiny little brains, buying is not an option We want to feel safe and certain, that is why there is a security industry- but if we are honest, the real goal is to reduce the chances of something bad happening down to an acceptable level We are never completely safe , and anyone who claims that what they are selling can change this fact is a charlatan Some of the most dangerous sources of inflated FUD and unreasonable BCC are organizations and agencies pushing their various certification and compliance agendas Compliance with a standard, even a professed security standard, does not make you secure A new set of letters after your name doesn t change the world These things might move you forward, but they won t solve your troubles- keep that in mind when spending time and money on them That s it I ll take a manageable dose of FUD over any blind BCC any day And you should, too Jack http://www.secuobs.com/revue/news/279277.shtmlhttp://www.secuobs.com/revue/news/279277.shtml Secuobs.com : 2011-01-15 02:30:49 - Uncommon Sense Security - Have you heard It isn t new, but many seem to have missed it- Mozilla s plugin check tool now supports multiple browsers, not just Firefox Just go to the URL,http wwwmozillacom en-US plugincheck with each of your browsers and the plugin tool will list installed plugins and give you a status Outdated Version gives you a link to update Up to Date gives a thumbs up Unknown gives a research button which launches a search for you The value isn t just in making sure your plugins are up to date, but also in showing you a list of them As with anything else in security, get rid of any you don t need You may have to settle for disabling some items which can t be uninstalled So what s the bad news After you have done this with all the browsers you use, stop and think about doing that throughout your network Mildly annoying to take a few minutes sitting in front of your machine painful to agonizing, or even impossible throughout a network It is enough work making sure the browsers themselves are up to date, plug-ins and add-ons are pretty much hopeless Sure, patch- and systems-management tools get the browser and applications, but the extras are hanging out there exposed- and there isn t a good answer for that There s your weekend ray of sunshine Jack http://www.secuobs.com/revue/news/278425.shtmlhttp://www.secuobs.com/revue/news/278425.shtml Secuobs.com : 2011-01-13 01:27:08 - Uncommon Sense Security - Shmoocon is only a couple of weeks away This year, I ve offered to help with the FireTalks FireTalks are two-hour sessions of 15 minute talks given in the evenings between the normal course of Shmoocon talks and whatever debauchery is planned for the later hours There are still speaking slots open, and we could use a few more sponsors, too Head over to the NovaInfosec Portal and see this post for more information Thanks http://www.secuobs.com/revue/news/277871.shtmlhttp://www.secuobs.com/revue/news/277871.shtml Secuobs.com : 2010-12-13 19:57:05 - Uncommon Sense Security - santajack No, not that most wonderful time of the year Shmoobus season is approaching This will be the fifth SecTwits road trip, and the third annual Shmoobus trip- a pilgrimage from the Boston area to Shmoocon in Washington, DC What is a Shmoobus It is a hacker road trip, a way to get to DC and see the wonders of the New Jersey Turnpike and much more I generally rent a 28-30 RV, folks sit around the table, or on the couch It is a mini-con on the way to from the con The route is from the Boston area a couple of pickup spots to Shmoocon There is a possibility of stops along the way, but I don t think I want to battle NYC traffic in the RV again The nice folks who keep me around for entertainment, Astaro, will once again be sponsoring the Shmoobus The last Shmoobus was pretty close to capacity, so we need to start planning now We have a few options, such as chartering a bus instead of renting an RV, but that would mean no table for conversations, card games and workspace Also, no generator to power all those laptops and other toys On the other hand, We could step up to two RVs, but that means we need to find another driver willing to handle the task But then we could caravan Twice the fun IMAGE IMAGE Interested in joining us Drop me a line at work, jdaniel at Astarocom Jack http://www.secuobs.com/revue/news/271359.shtmlhttp://www.secuobs.com/revue/news/271359.shtml Secuobs.com : 2010-12-13 16:23:12 - Uncommon Sense Security - Michelle Klinger has a post on her blog that made my week- she tells about her path to becoming a community leader Check out her post, SecurityBSides Turned Me into an Adult Jack http://www.secuobs.com/revue/news/271320.shtmlhttp://www.secuobs.com/revue/news/271320.shtml Secuobs.com : 2010-12-09 14:01:57 - Uncommon Sense Security - I love comments, and I should make them more often Three comments on one of my recent posts kicked a few thoughts free, so I m dropping them here Marisa Fagan s comment helped me clarify an idea We often see inappropriate spending on security, and frequently shrug it off with the acceptance that at least they re doing something, maybe next time they ll get it right I am a proponent of accepting small victories, but if the defense is wrong, that is not a victory of any kind For any challenge, we have a finite set of resources we can use to address it If resources are spent on the wrong things, that is not just a waste of resources, it removes them from the pool and reduces or possibly eliminates what is available for valid solutions Danny pointed out a very real, but theoretical, threat Some would call it a movie plot threat , but I am growing tired of that phrase Risk analysis needs to consider a wide variety of risks, then categorize them and prioritize mitigations Even unlikely attacks deserve to be considered in the process, especially if the consequences would be high In the context of the post, I feel that it would be inappropriate to worry much about a potential threat when there are active attacks we are not adequately addressing For example, you don t see anyone in InfoSec focusing their efforts on traditional network security to address browser exploits, do you That would be silly Hmm, wait, we seem to be getting uncomfortably close to glass house syndrome christiania, glass house, august 2007 photo credit seier seier , Flickr Finally, Dave Kennedy s comment included this gem Report FBI arrests Holland America passenger for releasing ship's anchor which highlights a real battle we sometimes face We are all aware of usability vs security challenges, this one is a security vs security challenge Or maybe a safety vs security challenge would be more accurate Sometimes you need to drop anchor, and fast It isn t common, especially in a modern vessel such as the cruise ship in the story- but when you need the anchor down, you need it down Therefore, the harder it is to drop anchor, the less safe the ship may be In this case I do think there needs to be a level of security above some drunk can drop an anchor This kind of incident is a good study in risks, threats, probabilities and outcomes, and it is visceral enough to get people s attention Jack http://www.secuobs.com/revue/news/270520.shtmlhttp://www.secuobs.com/revue/news/270520.shtml Secuobs.com : 2010-12-08 01:44:47 - Uncommon Sense Security - Out of control, but in a good way It was an idea kicked around on Twitter eighteen months ago Then the first event happened, and went amazingly well And then more happened And the growth continues It is a simple idea, really Get people together, bring in good content and engaged participants Have fun, learn, share, repeat There have been twelve events in eleven cities in the past eighteen months From a few dozen to several hundred people have participated in the various events Dozens of companies have sponsored in amounts ranging from a hundred dollars to those who have provided tens of thousands There are at least eight new cities planning BSides events in the next several months, plus second year events in more The most recent event was in Ottawa, that was the first one outside of the US- and there are at least two more locations planned for Canada next year Later this month, BSides Berlin, BerlinSides will be the first European BSides- but there will be one in London in the spring Another is in the planning stages for New Delhi Head over to wwwsecuritybsidesorg for information on upcoming events, and to see where we ve been The next events on the horizon are Berlin during 27C3 27c3 is now sold out There are even a couple of speaking slots open if you submit quickly you could get on the schedule- and as always there will be space for breakouts, impromptu talks, and private discussions Minneapolis St Paul, at the Wabasha Street Caves, January 7 The second BSides San Francisco will be February 14 and 15, registration and call for papers are still open, location will be announced soon- and it is a great one Then the second Austin event will be Friday and Saturday, March 11-12 As with San Francisco, the location is going to rock, and will be announced soon There is even talk of a SkiSides, a BSides at a ski resort Keep an eye on the BSides wiki for all the details of upcoming events There is bound to be one near you And if not, you can help make one happen- send a note to info at securitybsidesorg to find out about organizing an event Finally, sponsors make it possible, and BSides provides unique opportunities for organizations to promote themselves and support the community info at securitybsidesorg is the address for sponsor info, too Or email me directly you can find the address somewhere up there from the blog header , I ll be happy to answer questions about BSides Jack http://www.secuobs.com/revue/news/270105.shtmlhttp://www.secuobs.com/revue/news/270105.shtml Secuobs.com : 2010-12-06 22:48:40 - Uncommon Sense Security - In case you missed it Alan Shimel wrote a good, but really depressing post over on his Open Source column at Network World Alan and I are both old white guys who are heartily sick of sexism in our industry, and Alan s latest piece addresses and links to some pretty appalling things It really is way past time to act like responsible adults in this business And I may just have to act very childish at an event or two next year to make that point Stay tuned Jack http://www.secuobs.com/revue/news/269766.shtmlhttp://www.secuobs.com/revue/news/269766.shtml Secuobs.com : 2010-12-02 04:06:32 - Uncommon Sense Security - This one has been stewing for quite a while It was triggered by an event that happened while I was on vacation late this summer, but I have held off on writing about it until now First, I didn t want to write about it in the hype-cycle leading up to the anniversary of the September 11 attacks and look like I was riding the hype wave Then it was election season, with all the hype and invocation of 9 11 that brings Now, maybe I can get this off my chest safely I took an Alaskan cruise this summer I m not really a cruise kind of guy, but the Inside Passage cruise is as stunningly beautiful as most people say it is One day the cruise director was talking about DVD tours of the ship and mentioned that it was the only way to see the bridge or engine room since that s right, the tightened security after 9 11 Because we simply can t have any more cruise ships flying into skyscrapers This is pure BS, and is actually a complete failure to grasp the nature of the threats Worse, it misdirects defenses and perceptions away from the real threats in a maritime environment, which are very different from the aviation world The lesson of 9 11 was that the passengers and crew of airplanes were no longer the only objective the planes themselves were objectives- so they could be used as weapons Applying that lesson to cruise ships is stupid and dangerous for several reasons, a few of which follow First, there s the matter of physics The navigation space of aircraft are much less restricted than ships the sky is very large, even if some of the edges are hard , combined with the speeds of modern aircraft, the number of possible targets for an airplane attack are myriad Ships could be used for ramming attacks, but it just isn t that practical- especially when you consider how tricky many approaches are to ports There s a big reason harbor pilots are used to guide ships into port tides, currents, shifting shoals are all in the way of getting to the berth- or of ramming a target Then there is the practicality of maritime safety There is none, it is almost exclusively vigilance that defends shipping When an airplane leaves the runway, the number of practical threat vectors narrows At 36,000 feet I am not worried about a guy with a rocket propelled grenade on the ground, or someone forcing the door open from outside When a ship leaves a harbor, it loses the protection of monitoring from on shore and adjacent vessels crew, it is alone and approaches to the vessel become easier, not harder But those details miss the larger point, the lesson of 9 11 , the use of vessels as weapons, isn t just impractical in the maritime environment, it downplays the very real and actively exploited threats to ships Piracy is rampant in parts of the world, and not just off the coast of Somalia- and that is much more like the pre-9 11 view of airline threats hijacking and kidnapping It is wrong to make any statements which in any way divert attention from the piracy crisis it diminishes the significance of both 9 11 and the scourge of piracy And for the specific threats posed by tours of the bridge and engine room- I completely agree that the bridge should be off limits at almost all times, but that is common sense and safety The bridge is no place for stray people when a ship is underway The same could be said for some of the engineering areas But when the ship is in port I have a hard time believing tours can t be given safely Even if you do buy the idea of a movie-plot threat, remember that passengers and their luggage go through metal detectors and x-rays, similar to airport security pre-nudie scanners and freedom fondles Defend against the real threats That s it No InfoSec angle Alright, if you really need an InfoSec angle, I m sure you can extrapolate something about misidentifying threats, and using that wrong information to create the wrong defenses, thus ignoring or even weakening viable defenses But we would never let that happen At least we don t usually deal with dead people over our mistakes Jack http://www.secuobs.com/revue/news/268763.shtmlhttp://www.secuobs.com/revue/news/268763.shtml Secuobs.com : 2010-10-24 22:16:51 - Uncommon Sense Security - Thanks to Alex Hutton for pointing out a great article in the Atlantic It is about medical research, but it transcends that topic and really applies to many areas of research and study The article is called Lies, Damned Lies, and Medical Science and leads with Much of what medical researchers conclude in their studies is misleading, exaggerated, or flat-out wrong So why are doctors to a striking extent still drawing upon misinformation in their everyday practice Dr John Ioannidis has spent his career challenging his peers by exposing their bad science My favorite quote from the article may be Maybe sometimes it s the questions that are biased, not the answers That is very close in intent to something I often say, which is if you want to know how the illusion works, do not look where the magician points It is an interesting and hopefully thought provoking article Jack http://www.secuobs.com/revue/news/259548.shtmlhttp://www.secuobs.com/revue/news/259548.shtml Secuobs.com : 2010-10-09 13:18:18 - Uncommon Sense Security - Here s a little slideshow of photos from BSides events in Las Vegas both 09 and 10 , San Francisco, Austin, and Boston I cannot believe how far this has gone, and we re just over a year into it Jack http://www.secuobs.com/revue/news/255540.shtmlhttp://www.secuobs.com/revue/news/255540.shtml Secuobs.com : 2010-10-06 22:13:57 - Uncommon Sense Security - A couple of days ago I pointed to the new Verizon Payment Card Industry Compliance Report PDF available at http wwwverizonbusinesscom resources reports rp_2010-payment-card-industry-compliance-report_en_xgpdf I have read and digested it, I have also read and been unable to digest or even keep down some of the supporting information Short version- it is a first try, and it has useful data- data you will not find elsewhere Some of that data and accompanying analysis can help organizations battling PCI compliance, and those who audit assess or consult organizations attempting to comply with PCI-DSS There is, unfortunately, some complete crap surrounding the data, some of the report was apparently written by myopic PCI cheerleaders A lack of overall understanding of the security landscape, and the occasional straw man may make you want to stop reading before you get far- but don t give up, there is much more good than bad, just keep your reality distortion shields up and you will learn from the report You can also learn from the mistakes of others, which is not as visceral as learning from your own mistakes but is much less painful Some things really jump out at you- like the 78pourcents non-compliance rate at the initial assessment At the time of the initial assessment over 50pourcents of organizations were not compliant with 8 of the 12 requirement areas Requirement 11, regular testing of security systems and processes came in dead last in initial compliance The report states that the 22pourcents that were found compliant at the initial assessment were mostly experienced at PCI-DSS, but many that had been found complaint previously were deficient in the subsequent assessments included in this report It would be great to know how many of the formerly complaint were assessed by Verizon previously as opposed to how many were assessed by other QSA firms- and how the compared Not holding my breath for those stats, but they would be telling The lack of quality assurance in the QSA space is one of the things I have railed about in the past, this data could really help the PCI council address some of these problems if they had any interest in doing so It will be interesting to see what conversations come from this report Jack http://www.secuobs.com/revue/news/254832.shtmlhttp://www.secuobs.com/revue/news/254832.shtml Secuobs.com : 2010-10-04 18:30:07 - Uncommon Sense Security - The good folks over at Verizon Business have cranked out another report, this one on on PCI I urge you to read the PDF for yourself yes, PDF, and file format we should trust just as much as EXE these days The blog post and podcast underwhelmed me, but you may see value in them PDF http wwwverizonbusinesscom resources reports rp_2010-payment-card-industry-compliance-report_en_xgpdf The Blog post is at http wwwverizonbusinesscom worldwide about news pr-25614-en-pourcents5BURLLINKTEXT pourcents5Dxml and a short podcast http wwwverizonbusinesscom worldwide resources media indexxml urlid 131366 I need to digest it before adding commentary Remember that Verizon Business has a large PCI practice I m not saying there is any bias or spin- but it would be naive to overlook that fact Also, keep in mind that like the DBIR, the sample organizations are self-selecting, they are companies which can afford, and use Verizon for business services That s one of the great things about the latest DBIR, the addition of Secret Service data for normalize results Jack http://www.secuobs.com/revue/news/254081.shtmlhttp://www.secuobs.com/revue/news/254081.shtml Secuobs.com : 2010-09-27 01:39:43 - Uncommon Sense Security - It looks like I have a busy fall, I will be attending all kinds of events around the US and Canada Meet me for a beer or bourbon and let s chat if you will be at any of them Or, go to the events because they are great events- and know I ll be there and you can hide from me Whatever works for you not my actual legs I will be at both InterOP and SC World Congress in New York with other folks from Astaro Yes, I ll be on Booth Babe duty No, they promised I will not have to wear fishnets and pumps this time Just try to get that image out of your head I will be at three of this fall s Security BSides events I just missed the one in Kansas City, sounds like it was another good one I will be at those in Atlanta, GA on Friday, October 8 I will be giving the morning keynote address Dallas Ft Worth, TX in Saturday, November 6 Ottawa, Ontario on Friday and Saturday, November 12 and 13 Unfortunately, due to a scheduling conflict I will not be at BSides Delaware, but it looks like it will be yet another winner- and it is conveniently located for a lot of people in the industry I am helping with the HacKid Boston event coming up in just a few weeks This will be a fun and educational event for the kids and parents, I am really looking forward to helping make it happen and I don t even like kids And, of course, there is SecTor and the SecTorBus road trip There is still a seat or two open, let me know if you would like to join us for that adventure A couple of days before BSides DFW the Houston NAISG chapter is holding HouSecCon, But other than that, and a few local speaking engagements, I don t have much going on Except I might be working on a Security BSides Berlin as well as the second ones in Austin and Boston Oh, and ShmooBus III But other than that, not much Jack http://www.secuobs.com/revue/news/251854.shtmlhttp://www.secuobs.com/revue/news/251854.shtml Secuobs.com : 2010-09-22 20:10:38 - Uncommon Sense Security - I recently attended an event where Scott Schafer, Chief of the Consumer Protection Division of the Massachusetts Attorney General s office, reiterated the AG s take on some aspects of MGL 93H, the Massachusetts data breach reporting law Specifically, Assistant AG Schafer put forward a very strict interpretation of the definition of breach in 93H, covering when you must report a breach The AG s office has an interpretation of when you must report a breach that is substantially different than most people I have spoken with on the topic iStock_000007078741XSmall Insert giant disclaimer here I am not a lawyer, I am not your lawyer, this is not advice, legal or otherwise, except to advise you to contact your lawyer, etc The issue revolves around breach notification when encrypted Personal Information PI is lost Here is 93H s definition of breach Breach of security , the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure The key bit for me being unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key My reading of that and that of most people I have spoken with is reflected in the following with my emphasis added to the text by way of red font and bracketing unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key That is, losing unencrypted PI is a breach as is losing both encrypted PI and the key to decrypt it I had interpreted losing encrypted data without losing the key as not meeting this definition of a breach, and thus not requiring notification An excerpt of 93H from Assistant AG Schafer s slide deck shows the emphasis he placed on the phrase underlining is as it was shown on his slide deck Unauthorized acquisition or use of unencrypted data or, encrypted electronic data and the confidential process of key that is capable of compromising The exclusion of and the confidential process or key clause from underlining is telling The AG s office states that any loss of personal information is a breach and must be reported, whether encrypted or not The explanation is that we cannot be sure that the key has not been lost or otherwise compromised Two examples were given to support this position 1 A laptop containing PI was lost Although encrypted, the encryption key was taped to the laptop 2 An encrypted laptop containing PI was reported stolen by an employee, but the employee was actually using the laptop and using the PI for fraud In each case, the organization responsible for the protection of the data has a problem In the first case, it was unclear if the organization knew the key was on the laptop, or if there had been any user education, or even if there were policies prohibiting affixing he key to the encrypted device In the second case, a crime was committed, and the organization was one of the victims of the crime- but is that relevant to disclosure under 93H I want to make it clear that I am all in favor of strong consumer protection laws, and was one of the few people who consistently spoke out against weakening 201 CMR 1700 at hearings as the OCABR debated the various changes to that regulation I am, however, opposed to vague or misleading language Do not look down here for answers- I think this will take some prosecutions and subsequent court decisions to set precedents and give us the guidance we need By the way, this discussion only applies to the idea of encryption providing safe harbor in the case of breach reporting Encryption is required for all portable devices containing PI, 201CMR1700 is very clear on this although where technically feasible provides wiggle room Jack http://www.secuobs.com/revue/news/250741.shtmlhttp://www.secuobs.com/revue/news/250741.shtml Secuobs.com : 2010-09-16 23:58:22 - Uncommon Sense Security - There will be another road trip this fall, to the excellent SecTor Security Education Conference in Toronto The conference portion of SecTor runs on Tuesday and Wednesday, October 26 and 27 there are also classes in the education portion Take one image add a handful of hackers, then drive to image and look out world The tentative schedule calls for the RV to make the run from Northern Virginia to the Boston Area on Sunday, October 24, Boston to Toronto on Monday Return trip to Boston will be Wednesday night, Boston to NoVa will be later on Thursday after a bit of rest Big thanks to Astaro- they have come through again to sponsor the trip, so it will be free to join us on the ride You will need to cover your own conference, food and lodging expenses, but if you haven t already registered for SecTor let me know, there should be a discount code soon for SecTorBus riders Due to local regulations, we cannot sleep in the RV in Toronto, so you will need a room or a friend with a room Keep in mind that Toronto is in Canada, which is like a whole other country There will be border crossings, which means you will need a passport if you wish to make a round trip Once again we will be renting an RV, we should have plenty of power for laptops, and where there is coverage on the US side we will have a rolling 3g hotspot compliments of Astaro If you would like to join us, drop a note to jdaniel at astarocom for more info Jack http://www.secuobs.com/revue/news/245995.shtmlhttp://www.secuobs.com/revue/news/245995.shtml Secuobs.com : 2010-07-12 13:43:47 - Uncommon Sense Security - The week of Las Vegas madness that encompasses Security BSides, BlackHat and DefCon is approaching I am fortunate enough to be speaking twice that week- I will be leading Security Speed Debates at 10am on Thursday, 7 29 at Security BSides It is an idea I have blatantly stolen from AusCert, but ours will be better, at least partly because we don t talk funny I will be joined by the lovely and talented Josh Corman and Dennis Fisher you decide which one is which plus a player to be named later We will each have one minute to make our cases for or against a variety of incendiary topics, then we ll give a couple of folks watching the spectacle a chance to add their opinions To make it more interesting, the panelists will be assigned pro or con positions, on the spot, by coin toss The goals are to 1 have fun, and 2 encourage conversation I will also be moderating a panel discussion on PCI at DefCon at noon on Sunday Yes, PCI at DefCon We have a killer team lined up for the panel, see the lineup and summary here I ll be joined by James Arlen, aka Myrcurial , Anton Chuvakin, Joshua Corman, Alex Hutton, Martin McKeay, and Dave Shackleford How s that for a team I think our synopsis sums it up very well PCI at DefCon Are you on drugs Sadly, no- compliance is changing the way companies do security , and that has an effect on everyone, defender, attacker, or innocent bystander If you think all that 0-day you've heard about this week is scary, ask yourself this if a company accepts credit cards for payment, which is a more immediate threat- failing an audit or the possibility of being compromised by an attacker That is one of the reasons they do not listen to us when we try to improve security in our environments- as real as they are, our threats are theoretical compared to failing a PCI assessment Systems are hardened against audit, not attack Sadly, this is often an improvement, but this can also reduce security and provide a template for attackers This panel will discuss and debate strengths and weaknesses of PCI, expose systemic problems in PCI-DSS, and propose improvements If you ll be in Vegas for the fun, consider checking these out, they should be fun Jack http://www.secuobs.com/revue/news/239637.shtmlhttp://www.secuobs.com/revue/news/239637.shtml Secuobs.com : 2010-07-09 22:26:43 - Uncommon Sense Security - Someone has done some wildly successful social engineering Amazing, actually I am not talking about the Robin Sage social media social engineering case where a lot of people who should know better gave up a lot of information in a lot of different ways That may be interesting we ll see when it is presented , but even though some of the results were sensitive, that is building on a lot of prior work I am talking about the coverage of that story, where the reporting has largely been horrible, gullible, naive crap Sorry folks, but yes, that includes coverage from people I like If you believe a lot of what you read, you would think that a lot of people were duped into following friending linking whatevering Ms Sage This shows a gross lack of understanding of both social networking and the security community- both on the part of the journalists, and to a lesser extent, the researcher The people who over-shared really are a problem, and it may be interesting to see what Thomas Ryan the person behind Robin Sage presents at DefCon It looks like s he got a lot of sensitive information from people who should know better- three letter agencies, military, and more Interesting, but people are stupid and gullible is not really ground-breaking, nor is mining abusing social networking to prove this point a new idea either It does sound like the scope and scale may be noteworthy But not new, and being a skeptic, I m not sure it is newsworthy Where things fall apart is the nonsense over stories which pretty much proclaim that MILLIONS OF SECURITY PROS DUPED, and point to the number of friends links etc the virtually perky Ms Sage gathered I would like to point out four things 1 Different people use social networks in different ways Just because someone accepts your connection request does not mean they are fooled by you They may not even care if you are real or fake Maybe they sadly common think that more connections means they are more important Maybe they are public figures of some kind, and accept most requests as a matter of policy If people are careful with what information they share, there is nothing wrong with this Nothing It is voluntary, get over it It is how Social Media and Social Networking work for many people If you don t like this approach- don t use it The decision to accept may be based on connections offered via friend-of-a-friend linking instead of being based on the person making the request Again, if you are cautious about what you share, there isn t a risk here- even if it is a pretty shallow move Robin certainly had some interesting friends links to entice people Put another way Some days, the wingman scores 2 Once Robin Sage became fairly visible, the drama got interesting and a lot of people began following linking to the myriad of Robin Sages yes, there were clones and evil twins, too just to watch the train wreck I was one of these, and like many others I had my suspicions- but didn t care if she was real, fake, or just another troll, there was entertainment People were not duped, they grabbed a beer and some popcorn and watched the show 3 Robin Sage was called out Spotted Thoroughly outed Many thought something was fishy Some people did actual research and provided real details People had to connect accept to do the research and confirm their suspicions The press almost completely missed this critical point They also missed the fact that once this was widely known, even more people connected to and followed Robin to watch the evolving train wreck mentioned in point 2 4 Mr Ryan apparently convinced socially engineered much of the media into thinking this was something it wasn t, then and the result was not journalism, it was an embarrassment And this is just the worst of it this week Half baked ideas, giant and flawed leaps of logic, obvious vendor spin, and more were on parade this week Maybe it was the heat and no one could think clearly Maybe it was Vacation from Healthy Skepticism Week and no one told me I don t know, but I m not happy about it Jack Note since posting, the question of linking to specific examples has come up I debated it while writing this post, but in the end I decided that the issue was so pervasive that calling out specific writers or articles would not have been productive http://www.secuobs.com/revue/news/239256.shtmlhttp://www.secuobs.com/revue/news/239256.shtml Secuobs.com : 2010-06-15 01:25:49 - Uncommon Sense Security - The venue for Security BSides Las Vegas is phenomenal As great as that is, BSides is about content and community, and I m happy to spill a few details about content The first few talks confirmed are great and there are plenty more killer talks to be announced Here are a few teasers David Mortman has assembled an all-star panel including Marisa Fagan, Erin Jacobs, James Arlen, Dave Lewis, Leigh Honeywell, and Rafal Los for Mentoring, Mentee-ing Telamachusing Manatee-ing In Information Security A How-To Panel Come and learn how to get the most of out the Mentor Protégé relationship from our panel of experts HD Moore will present Fun with VxWorks this talk focuses on the VxWorks operating system, how it works, what devices use it, and how to compromise it The content will include background information on VxWorks itself, a checklist of common vulnerabilities, mappings from these vulnerabilities to shipped products, and a live demo of gaining access to a widely deployed commercial product Gene Kim will present Mobilizing the PCI Resistance Lessons Learned From Fighting Prior Wars SOX-404 I have noticed that there is a growing wave of discontent from the information security and compliance movement around complying with the PCI DSS My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts and catalyze a similar movement to achieve the spirit and intent of PCI DSS Bruce Potter will bring bring us How to Make Network Diagrams that Don't Suck We've all been there You walk in to a network blind and the first thing you ask for is a network diagram What gets handed to you has apparently fallen out of a bowl of ramen and on to the page Overlapping lines, big arrows, and host names in print so small that only insects can read it Egyp7 will deliver Beyond r57 PHP is an easy language to learn and is among the most popular in the web development world Because of this, many PHP applications are written by novice programmers with little knowledge of writing secure code Combine that fact with a few poor design decisions and you end up with vulnerabilities in PHP applications being published daily And that is barely scratching the surface There will be plenty more, and there will be informal and impromptu talks, too And healthy conversations Maybe an argument And a first for BSides, we will be arranging a press area for BSides LV It is the place to be, and we want to provide those covering the event a place to hold interviews and get work done Jack http://www.secuobs.com/revue/news/231472.shtmlhttp://www.secuobs.com/revue/news/231472.shtml Secuobs.com : 2010-06-09 12:24:04 - Uncommon Sense Security - I'll close out my series of car rants with this one, on our ability to repair our cars This is not a new battle, but the front has moved into new territory The Experimental Security Analysis of a Modern Automobile paper touched on the subject briefly, pointing out that some of the vulnerabilities they reported could be addressed by locking down diagnostic and repair procedures They also stated that individuals desire and should be able to do certain things to tune their own car but not others Starts off good, then takes a dive So, who gets to decide what you can to to your car That is academic arrogance and lack of perspective there folks Yes, if I want to use my car on public roads, I have obligations to my fellow drivers and to the law If I am on a racetrack, the obligations are to my fellow drivers and the rules of the sanctioning body In the fields of my farm, the regulators, manufacturers, and pointy-headed academics can insert your own creative answer here themselves And on the commercial side Similarly, how could mechanics service and replace components in a locked-down automotive environment Would they receive special capabilities If so, which mechanics and why should they be trusted Once again, a little historical perspective Manufacturers have built vehicles requiring special tools for many years, and have tried to limit access to these tools to limit independent shops and do-it-yourself mechanics ability to maintain and repair vehicles Manufacturers have tried to restrict access by only allowing sales of some tools to authorized dealers, and when they can t get away with that, they resort to making tools available at excessively high prices Special fasteners are the most obvious example, but there are few parts of an automobile which haven t seen bizarre adaptations which require either serious creativity, or special tools, to access or repair Tools like these are easy to reverse engineer and duplicate With these physical components, we do have the ability to look at them and improvise- and tool manufacturers can make their own versions of the tools like the ones shown above Unless they run into patent issues, of course Going beyond repairs, tuning used to be a lot more obvious, too Changing some settings, swapping a few parts, these were commonplace tuning techniques Even the term tune up tells us something- we had to tune cars regularly, adjusting carburetors and points were regular service procedures One very common performance swap was replacing the carburetor, this was not done simply for performance, but for the ability to fine tune the aftermarket carburetors in a way we couldn t tune factory systems For example, use of the ubiquitous Holley carbs meant that with some skill and patience, and a couple of boxes of jets we could precisely refine the fuel mixture fed to the engine Holley carburetor jet assortment We are now in a situation where a many routine repairs require interaction with the computer systems of the automobile Even tasks like changing fluids or servicing brake pads can require use of the computer systems Depending on make and model you may need one of these 18,000 USD systems to perform simple repairs Automotive diagnostic and repair computer Note that s a real system used by some European manufacturers, they really are about 18k, and are just a feeble Windows 2000 laptop in a user-unfriendly form factor Repair information is, and has been, a bigger problem Mechanical systems can be torn down, inspected, and independent publishers could and still can create repair manuals The diagnostics, and the underlying operation information, was always where we fought for information the move to computerized systems has made this information both harder to find and more desperately needed We can t just look at the problem and improvise, that s why we need the manufacturers to cooperate in making information available, or at very least we can t allow them to block access to information This is not easy, there are standards, but there are also proprietary implementations- so we are back in the awkward Intellectual Property software patents reverse-engineering-breaks-DMCA world that is familiar to those of us in the information security And it is more complicated than that- if you reverse-engineer proprietary software on your computer and alter its functionality, what are the consequences for society at large Altering automotive systems can have a profound impact on fuel economy, emissions, braking and other safety systems- that can have a real impact on society Or, at least have an impact on the car in front of you if you ve screwed up your brakes Again, a little perspective we ve always been able to screw up our cars, we are just exposing new ways to do it Let s not ignore government s role in this situation Much of the push to computerization of powertrain management systems was a reaction to ever-tightening emissions and fuel economy mandates It doesn t stop with the design of the car, either most automobiles have to undergo inspections, many modifications to the fuel and emissions systems are likely to cause your vehicle to fail I do think the paper has highlighted a couple of real issues, and implementing some basic safeguards such as limiting the conditions under which certain commands can be executed, and limiting which systems can issue certain types of commands should improve the security of automotive computer systems without compromising our ability to repair our vehicles If you are interested in this issue, check out Right to Repair HR 2057 PDF the proposed Right to Repair bill looks like a good starting point, it is proclaimed as A bill to protect the rights of consumers to diagnose, service, maintain, and repair their motor vehicles, and for other purposes And we could all use a little protection Of course, we often want protection from the government, so protections mandated by the government will require a bit of scrutiny Jack http://www.secuobs.com/revue/news/229959.shtmlhttp://www.secuobs.com/revue/news/229959.shtml Secuobs.com : 2010-06-07 09:09:51 - Uncommon Sense Security - A couple of weeks ago Michal Zalewski wrote a guest post for Ryan Naraine over on the ZDNet Zero Day blog It stirred up some conversation, but I wasn t going to comment on it until I hung out with the Pauldotcom crew for their 200th episode extravaganza and Hackers for Charity fundraiser The post and responses came up, and after a little deep beer-induced thought, I decided to share a few thoughts, and offer links to a variety of responses First, I almost skipped the post, the first sentence lost me On the face of it, the field of information security appears to be a mature, well-defined, and an accomplished branch of computer science Seriously Anyone who thinks that is clearly delusional But I know the Michal is not, he is brilliant, and Ryan encouraged me to read the entire post So, I did Even though the rest of the first paragraph really isn t much better Resident experts eagerly assert the importance of their area of expertise by pointing to large sets of neatly cataloged security flaws, invariably attributed to security-illiterate developers while their fellow theoreticians note how all these problems would have been prevented by adhering to this year s hottest security methodology A commercial industry thrives in the vicinity, offering various non-binding security assurances to everyone, from casual computer users to giant international corporations I am not sure how someone Michal s age attained that level of cynicism, but it is impressive He goes on to say we have had no successes in software security, elegantly define the problems in a few ways, and then leave us there Michal appears to be making the kind of assertions that triggered my last post, I think he could really use a bit of perspective But enough of that, if you are interested in an interesting look at software security from a variety of perspectives check out the following links Note these are some seriously smart folks, It often takes me a couple of passes at some of the ideas to get it Michal s original post is here Amrit Williams has a great response here Ivan Arce responded here Ivan is crazy smart, and this is a thorough response It may take a little digesting to grasp Ivan s points David Mortman has a great follow up post here Michal has a follow up to his post on his blog, including some comments, and links to a few responses including some of the above It is an interesting series of posts But remember, nothing you read in any of them changes the fact that tomorrow is Patch Tuesday , with all the baggage that brings So keep a little perspective as you read the installments of this little drama Jack http://www.secuobs.com/revue/news/229069.shtmlhttp://www.secuobs.com/revue/news/229069.shtml Secuobs.com : 2010-06-01 13:02:55 - Uncommon Sense Security - NOTE On re-reading this post before publishing, I realize it sounds pretty bitter in places It should But, I do want to make clear that I respect the vast majority people who do the hard work, even when I disagree with some of what they say, or the way they say it We need a new mantra in information security We've heard various forms of think like an attacker for ever And it is absolutely true But seriously, enough Make the point to the new, the uninitiated, those outside our craft- but otherwise, stop it The choir knows the tune, and the chorus, and lyrics, and can do it in rounds while drunk Here's my proposal Run a Optional expletive of your choice enterprise Or maybe just Run a Optional expletive of your choice network It doesn't need to be a big one environment, but your MacBook, roommate's XP laptop, and a NAS server does not count You need to run a network, remediate problems, scramble and patch, screw up, get yelled at when things go down, and occasionally score victories You need to see things work, and see things fail If you are both good and lucky, you may get to see The Next Big Exploit in the wild, and watch pass you by unscathed I am not saying to stop thinking like an attacker, but I am suggesting that if we accept that defenders should understand the attacker, those who do attack research should experience the world from the other side A classic case of this is the technology X is fundamentally broken statements we hear year after year, con after con Many people don't understand why they are ignored by management and admins when they make these absolutely true statements I'll tell you why, because no matter what we're told about the failures of anti-virus, web filtering, IPS, or whatever, we've seen these technologies work Perfect, no Fewer helpdesk calls, yes That is success Limited success, sure I just want people to tell the truth, and offer solutions, even imperfect ones Technology X does not work as well as you need it to, but you can minimize the pain by doing Y will have people at your feet begging for more I am not even asking for researchers to pity the poor admin , but should a little empathy develop, I'm good with that By the way, some of the criminals do get this When the new MSRT ships and your botnet starts evaporating, you learn a lesson Bonus points for retiring Criminals don't play by the rules , that is the epitome of an NSR statement NSR No stuff , Really A little perspective goes a long way- which is a very good thing, because many in our business seem to have very little perspective Jack http://www.secuobs.com/revue/news/227448.shtmlhttp://www.secuobs.com/revue/news/227448.shtml Secuobs.com : 2010-05-28 14:56:00 - Uncommon Sense Security - It looks like commenting is currently broken on the blog, trying to figure it out Since I ve been too lazy to build and run my own blogging system, I m at the mercy of the Googleplex to get this sorted out Sorry update it looks like only the last post has broken comments Jack http://www.secuobs.com/revue/news/226659.shtmlhttp://www.secuobs.com/revue/news/226659.shtml Secuobs.com : 2010-05-27 13:14:05 - Uncommon Sense Security - Time to resume the review of the car security paper I will not pick it apart completely, but I do need to hit several more points in this post and then I'll wrap up the car rant in one more post on access to tools and information Backing up a bit, one thing I skipped over was the choice of automobiles They chose one pair of identical cars, testing one stationary and one on a test track Their reasoning behind the small sample, and not identifying the car, is stated as We believe the risks identified in this paper arise from the architecture of the modern automobile and not simply from design decisions made by any single manufacturer For this reason, we have chosen not to identify the particular make and model used in our tests We believe that other automobile manufacturers and models with similar features may have similar security properties I am uncomfortable with these blanket assumptions for a few reasons First, it is irresponsible to praise or damn an entire industry based on a single sample Second, I assume the technology levels of auto manufacturers have been somewhat leveled by regulatory and market pressures, but it is naive to think they are all the same, or that they all treat digital security the same Time for another trip back in time Going back to the pre-OBD-II days, some manufacturers had barely moved out of the seventies, while others had forged well ahead For example, there was some argument of the number of pins to be included in the proposed standard connector- many manufacturers complained loudly and said it was impossible to supplied the required information in the small number of connectors Chrysler also complained about the proposal, but their complaint was that they were already supplying more information than required in a smaller connector, Chrysler objected to needlessly adding pins At this time, Ford technicians were still using breakout boxes and meters for some testing while many Chrysler vehicles were connected to in-shop computers to do the same, only faster and more reliably At the same time early 90's we had data capture devices available for Chrysler products which let us capture system data while on the road I remember dumping the contents to the shop computer, then to floppy so that I could wave them in engineers faces at conferences If you look here on the fuel injector and ignition timing traces was a lot better than I don't know, but the customer still isn't happy Moving forward, up until a couple of years ago I know that the quality and technology of diagnostic equipment varied widely between manufacturers From what little I've seen from friends and clients this still appears to be true I do not think it is unreasonable to conclude from this that testing of multiple manufacturer's systems is warranted before making any sweeping statements A technical and safety nitpick On page nine, section V B, they discuss the setup for the stationary tests They raised the car on jackstands and ran the drivetrain at speeds for the tests with the wheels and powertrain unloaded This means the operating environment of the vehicle was artificial and bearings were spun without load- a bad idea Also, without the weight of the vehicle on the wheels, had something malfunctioned there could have been out-of-control vibration, possibly bouncing the car off the stands with catastrophic results This one is not theoretical, I've seen bad things In this configuration, they tested the electronic braking system- the rear wheels were stationary while the front wheels spun at 40 MPH Since there are wheel speed sensors on each wheel, this put the system in an unnatural state, it is not surprising they experienced different results between the static and road tests They did understand this, but understanding that they were doing it wrong is not especially confidence inspiring Although they repeated some tests on the road, it just shows a basic lack of awareness- especially considering the information they could have gathered by running the system on a chassis dynamometer Dynos are not rare anymore, either- state emissions testing stations in many states are equipped with rudimentary ones, and performance and speed shops have reliable ones available Running on a dyno would not have solved the wheel speed sensor issue, but it would have addressed load and safety issues As far as the the wheel speed issues, depending on the sensor it may have been possible to solve with a simple little hack of the sensor outputs while stationary Moving forward to page twelve, we return to good and disturbing information The fact that many of these safety-critical attacks are still effective in the road setting suggests that few DeviceControl functions are actually disabled when the car is at speed while driving, despite the clear capability and intention in the standard to do so Again with the poorly implemented or enforced standard- this is critical information from the report They also found that it was possible to bridge the high- and low-speed busses, that is just plain wrong, and potentially terrifying More important findings, I really wish I wasn't questioning everything by this point Hopefully you have read the report, don't just accept their findings or my observations , but put some thought of your own into it I hope there is follow up study, and it is done with more caution and better research There is one more petty thing I wish to bring up They refer to computer managed automobiles as cyber-physical vehicles , what the heck does that mean We do not need more cyber-hyphenated nonsense terms One more quick car post is coming, then back to your irregularly-scheduled drivel Jack http://www.secuobs.com/revue/news/226237.shtmlhttp://www.secuobs.com/revue/news/226237.shtml Secuobs.com : 2010-05-25 23:46:30 - Uncommon Sense Security - Vendors love to tell us how scalable their products are Many, however, fail to grasp that scales have two ends- if you start in the middle and only scale up , your product is not truly scalable, so stop saying it is That's it, just another bit of bitterness from a small business advocate Jack http://www.secuobs.com/revue/news/225614.shtmlhttp://www.secuobs.com/revue/news/225614.shtml Secuobs.com : 2010-05-25 12:29:52 - Uncommon Sense Security - In my last post I started a series of rants about cars As I said, it has been simmering for a while, but a paper called Experimental Security Analysis of a Modern Automobile PDF pushed me to write While the first post was not specifically about this paper, this post and some later ones will be I'll reiterate that there is a lot of good information in the paper, but you need to sift through a bit of arrogance and ignorance to get maximum benefit from it While that is almost universally true of all papers, especially academic ones they rarely have, or even give credit to, trench-level experience , it is often hard to accept the valid parts of a paper after discovering glaring errors Let's start with an excerpt from the very promising abstract Abstract Modern automobiles are no longer mere mechanical devices they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure Note In the Olden Days, we also had systems which pervasively monitored and controlled cars, they were called drivers Damn right, cars have become more computerized and the systems are networked- and now more vehicles have multiple wireless communication systems, most if not all with some level of access to the onboard networks There's a recipe for a playground of badness So is this paper Rather than shred it entirely, I'll call out a few things which set me off But first, venture back in time with me In the early sixties, we had cars with electrically-controlled transmissions Not especially reliable, but we had them Cars had computers before that, but we didn't call them that They were called automatic transmissions , controlled by hydraulic decision engines which selected the appropriate gear based an a variety of variable inputs- including throttle position, engine load, engine speed, road speed- all under amazing temperature and vibration extremes There have been a lot of interesting technologies in autos, often appearing earlier than people realize And tinkerers, mechanics, racers, gear-heads, whatever you want to call them started hacking cars and their systems as soon as they got their hands on them And it was not new with cars, we've tinkered and pushed the limits of stuff since crawling out of the primordial ooze I think a weekend in the pits at an SCCA event might prove eye opening for many- the creativity is amazing Diving into a few specifics of the paper, we don't make it out of the first page before we get our first warning Through 80 years of mass-production, the passenger automobile has remained superficially static a single gasoline-powered internal combustion engine four wheels and the familiar user interface of steering wheel, throttle, gearshift, and brake However, in the past two decades the underlying control systems have changed dramatically Maybe we'll let this slide, a bit of hyperbole to start the paper off We'll ignore diesel engines, the move from manual to automatic transmissions, front to rear wheel drive, etc But then we get to While the automotive industry has always considered safety a critical engineering concern indeed, much of this new software has been introduced specifically to increase safety, eg, Anti-lock Brake Systems Anti-lock brakes have certainly evolved considerably, but ABS was effectively mandated for heavy trucks by US FMVSS 121 in 1975 Yeah, Gerry Ford was in the White House, scourge of disco was beginning to destroy a generation, and polyester was an acceptable fabric for something called the leisure suit Not quite new systems Maybe I'm still nitpicking Cars are different than trucks but not that different in many ways There really is a lot of good information in this paper Of course, if they had let their mechanics read it after getting their cars serviced it would have been a lot better Then, we get to this gem In this paper we intentionally and explicitly skirt the question of a threat model Instead, we focus primarily on what an attacker could do to a car if she was able to maliciously communicate on the car s internal network That said, this does beg the question of how she might be able to gain such access While we leave a full analysis of the modern automobile s attack surface to future research, we briefly describe here the two kinds of vectors by which one might gain access to a car s internal networks The first is physical access Another little insight for you if I have physical access to your car, I can now do with a computer, cables and custom software what has been possible for almost eighty years with a pocketknife- damage your brakes Note, cars have been around for over a century, but use of hydraulic brakes was not widespread until the thirties You can really get creative with digital attacks, but you've been able to do creative brake damage by exploiting physical and hydraulic vulnerabilities, there's plenty more than simply cutting lines which can be done Switching gears sorry, had to to traditional information security, ignoring the threat model is best practices No, wait, ignoring threat models it is a horrible idea, but sadly common The other vector is via the numerous wireless interfaces implemented in the modern automobile Now we're talking, this is a huge problem at least potentially , and it needs a lot of research Skipping forward to section IV C, there is more critical information Not surprising, but important- there are poor standards, implemented poorly and un-enforced That is not shocking to those of us in infosec, but especially scary when we're talking about interaction of physical safety systems It is a bit depressing that they are surprised by this, and surprised how easily the systems fell to fuzzing attacks, another sign that the authors may not have the real-world experience I would like I'll continue the rantview in an upcoming post, but I may become snarky, and possibly mean about it Jack http://www.secuobs.com/revue/news/225373.shtmlhttp://www.secuobs.com/revue/news/225373.shtml Secuobs.com : 2010-05-23 20:59:26 - Uncommon Sense Security - This is a multi-part car rant, wherein I insult some hackers and academics who richly deserve it The targets of my scorn are not likely to hear my rants, as they have anatomically unlikely body parts shielding their ears entire heads, actually Where to start NEWS FLASH Car people have been hardware hacking longer than you have been alive They have also been hacking electrical and electronic systems for many decades And hacking onboard computer systems for a few decades Just because some computer literate folks decided to play with cars, hacking cars is new and newsworthy To the folks who believe this, get over yourselves Some might say but Jack, computers make cars too complicated for the dumb mechanics and knuckle-dragging gear heads who beat us up in High School To these people I say, you weren't beaten badly enough or often enough in High School Back in the dark ages, when I was a mechanic, we did creative tuning and repair when we had to Early emissions and computer systems were less than ideal in function and reliability, so we adapted the tricks we knew and added more to compensate For example, there is still a handful of mixed resistors in my tool box, we used those to tune gauges- and later to tune the inputs computers received from sensors Strategically placed vacuum bleed valves, creative use of timers and relays, and so on- were nothing new to a competent mechanic as we dealt with the influx of computers in autos We played mix and match with parts- computers, sensors, chips, whatever we could Sure, we were not hacking code, but we broke things just enough to make them work If you expand the scope to cover auto racing, especially the cheap, run what you brung classes, the ingenuity has been amazing Phrases like you can't do that and watch me have been heard in the pits since the first races So when I see stories about car hacking I get a little twitchy There are cool projects, like OpenOtto, an open framework for accessing automotive systems and networks, and most folks involved in that seem to have a clue I do occasionally hear the odd stupid remark about it generally from people who don't understand the fundamental difference between data and information , but overall I hope it develops into a powerful and easy to use tool What triggered this bit of Goodwill Towards Men It has been simmering for a while, but a paper called Experimental Security Analysis of a Modern Automobile PDF pushed me over the edge of reason Fine, farther over the edge There is a lot of good information in the paper, and some crap, and a fair bit of academic arrogance I'll start the dissection of the paper in an upcoming post Jack http://www.secuobs.com/revue/news/224873.shtmlhttp://www.secuobs.com/revue/news/224873.shtml Secuobs.com : 2010-05-19 12:50:46 - Uncommon Sense Security - Here's a little experiment in observation for you- the next time you are in an airport, watch the watchers If you haven't tried it before you are in for an education There are a few classes of watchers in most airports, I want to focus on three, starting with TSA employees Note TSA bashing is always good fun, but that isn't the point here Well, maybe just a little When you are in line for the security theater checkpoints, watch the TSA agents as they observe the passengers Are they scanning the entire area occasionally, or are they focused on a narrow space Do they look around at all How do they look at people How do they observe the non-passengers crew, staff, etc as they go through security What happens when they leave their posts, do they wander off aimlessly, or scan the crowds as they head off wherever they are going Next up, real law enforcement Not just any policeman or sheriff, but you'll know them when you see them They see everyone They check everyone's eyes, hands and waist- not in a forced, I just learned this in a webinar way, but in a fluid and practiced I am not getting sucker-punched again way You'll know it when someone triggers their interest- the police are generally discreet about it, but it is often clear when someone is getting a secondary and more thorough inspection They also walk the halls with one shoulder against a wall to reduce the area they need to cover, and to reduce their attack surface And they don't stop looking as long as they're in public Casa de Sunglasses FashionistaNow, finally, the last group The ennui-ridden would-be fashionistas working at the Casa de Sunglasses kiosks or whatever they're called Really Like the police, not all have the skill, but you'll know the ones I mean when you see them They see everyone, they see the eyes, the hands- and if not the waist, they are certainly checking out other areas of the bodies of passers-by Sure, some people get checked out a lot closer than others, but no one gets by without at least a cursory look I feel like a piece of meat when they look at me like that OK, they do not look at me like that But a boy can dream That's it No grandiose conclusions from me- but if you think about it, you may have some new ideas about education, motivation, and observation And you might become a bit more observant yourself Jack http://www.secuobs.com/revue/news/223557.shtmlhttp://www.secuobs.com/revue/news/223557.shtml Secuobs.com : 2010-05-17 03:57:58 - Uncommon Sense Security - This isn't new, but a lot of folks don't seem to realize just how bad PDFs are Remember when we told people to send us PDFs instead of Word documents because we thought PDFs were safe Boy, were we wrong OK, we weren't wrong, but times and threats have certainly changed Now, with the XML-based Office file formats and the proliferation of PDF malware, I'm much more leery of PDFs than DOCX files The PDF specs are part of the problem, and the implementations of PDF readers are another part of the problem- the specs allow for things like embedded executables, and the implementations are buggy If you haven't read about these issues, check out the articles below http wwwf-securecom weblog archives 00001903html http wwwf-securecom weblog archives 00001923html http blogdidierstevenscom 2010 03 31 escape-from-foxit-reader Some have suggested disabling JavaScript in your PDF reader, but that doesn't resolve all of the issues I don't have a perfect solution, but I do have a suggestion, one that I've adopted- it is far from perfect, it is slow and lacks features , but it works to add a layer of protection when viewing PDFs online Gpdf can be deployed to your browsers Google Chrome and Mozilla FireFox only , it will open PDFs in Google Docs, this moves rendering to Google's servers and adds a big layer of protection to your browser Information and installation instructions are available from http blogarpitnextcom gpdf Google docs rewrites PDFs on the fly, and adds a significant layer of protection Now don't be naive, Google rewrites the PDF so they can see what you are reading, and any anti-malware systems they use are to protect their servers, not you- they are Google, after all As I said, Gpdf is not perfect, but it is a step forward Which is the right direction Jack http://www.secuobs.com/revue/news/222692.shtmlhttp://www.secuobs.com/revue/news/222692.shtml Secuobs.com : 2010-05-14 12:35:13 - Uncommon Sense Security - We tried last year, and it almost, very nearly, happened But it did not Maybe with a bit more lead time we can do it this fall, a road trip to Toronto for the awesome SecTor security conference Like a Shmoobus, but headed north instead of south Interested Email me at work, jdaniel at astarocom I'll try to get them to sponsor again they're cool like that Possible routes are Boston to Northern Virginia to Toronto, or maybe Northern Virginia to Boston to Toronto It depends on who joins us, and which highway that stand beside waiting for a ride And, no, it will not look like this bus Let me know Jack http://www.secuobs.com/revue/news/222149.shtmlhttp://www.secuobs.com/revue/news/222149.shtml Secuobs.com : 2010-05-13 00:47:37 - Uncommon Sense Security - HacKid is coming together nicely, with events in the Boston area Cambridge, actually and Northern Virginia It looks like the inaugural event on the weekend of August 28-29 The website and wiki have been updated, and there's more information on the latest episode of the Southern Fried Security podcast Round up the little guttersnipes and get them involved You, too Jack http://www.secuobs.com/revue/news/221615.shtmlhttp://www.secuobs.com/revue/news/221615.shtml Secuobs.com : 2010-05-06 03:45:04 - Uncommon Sense Security - Have kids Nieces, nephews, grandkids Maybe Big Brother Big Sister or some other rent-a-youth Perhaps you just want to boost your chances of working with functional young folks in several years when they join the workforce Chris Hoff had a great idea at SOURCE Boston this year, he brought his three daughters- which got him thinking about kids, conferences and hacking The result sounds like a great idea, HacKid conferences, check out the site for more info, then join and contribute to the wiki It looks like Labor Day weekend will be the first round of events, but keep an eye on the HacKid site for updates Jack http://www.secuobs.com/revue/news/219310.shtmlhttp://www.secuobs.com/revue/news/219310.shtml Secuobs.com : 2010-04-19 18:17:48 - Uncommon Sense Security - Hopefully you've seen this all over the place by now, but if not OWASP released their updated Top Ten list for 2010 today From the site The OWASP Top Ten provides a powerful awareness document for web application security The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code The full 22 page PDF can be seen here opens in Google Docs because I don't trust PDFs Not that I trust Google, either, come to think of it This year's list includes a completely new list of problems we have never seen before No, wait, this is stuff we've been fighting for years We need to get the word out to the right people, and it is pretty clear that we have a way to go on that front This years' Top Ten features A1 Injection A2 Cross-Site Scripting XSS A3 Broken Authentication and Session Management A4 Insecure Direct Object References A5 Cross-Site Request Forgery CSRF A6 Security Misconfiguration A7 Insecure Cryptographic Storage A8 Failure to Restrict URL Access A9 Insufficient Transport Layer Protection A10 Unvalidated Redirects and Forwards Read 'em and weep Or, better yet, read 'em, and spread the word Jack http://www.secuobs.com/revue/news/213680.shtmlhttp://www.secuobs.com/revue/news/213680.shtml Secuobs.com : 2010-03-27 23:42:55 - Uncommon Sense Security - You've seen them You've probably even been one But you know better I am talking about the conference dorks , the folks who go to events and wander all over town proudly displaying their conference badges, usually with plenty of computer and or camera gear dangling off their shoulders- you know, screaming I'm a tourist, rob me BadgeVictm I am pretty sure what I saw wandering around SXSWi this year was the worst I've ever seen, but I've seen some pretty dumb things at RSA and NADA conventions, too- and those aren't in cities as nice as Austin This isn't meant as a paranoid rant, or meant to spoil your fun, but seriously, think about what you're doing Here are a few tips, primarily designed for the pedestrian, and it is far from a comprehensive list- feel free to add more or argue with me Ask someone what areas are safe, and which are not Also ask WHEN things might be less safe Ask friends who live in the area Not the practical joker friends, either Ask at your hotel they want you to live long enough to check out and pay your bill Ask a local cop Don't bother them while they're busy, don't waste their time- but they know, and they do not want to have to fill out yet another report about a crime involving an ignorant tourist Do not advertise being a tourist Don't wear name tags badges when outside event venues I don't care if it is a SXSWi Platinum badge, don't do it Think about the gear you carry and the way you carry it Travel light Keep straps short, and gear tucked in close If you have to carry things any distance, make sure you have one hand free at all times or have something you don't mind dropping in one hand Look at yourself, think about where you are going and how you're getting there If the images don't line up, change something clothes, route, attitude Be aware of your surroundings, and stay alert Don't be nuts, but keep your eyes open, and look around Sweep your path with your eyes, note what people have in their hands and look at their faces Eye contact is a tricky thing, it makes some people uncomfortable Glance, do not stare at people If something makes you uncomfortable, stop and ask yourself why Our Fight or Flight wiring is not ideal for our modern world, but ignoring odd feelings about a situation is just plain dumb When walking, plan your path several dozen feet in front of where you are Avoid walking close to blind doorways, spaces between cars, blind spots near dumpsters, mailboxes, any obstacles This limits both innocent surprises of people stepping out of blind areas into your path, and puts you a step or two away from potential harm If there are solid walls or fences on one side of your route, stay close to them stepping away for gates doors etc Glance back occasionally Stopping before crossing a street keeps you from getting run over, and allows you to take a good look around without being too obvious about it Traveling in groups is usually better than traveling alone But a group of idiots isn't always much better Also, ask yourself if your group could appear threatening to others Groups of drunken, obnoxious con attendees are never pleasant Unless you are in the group And even then it can be ugly Do not assume that anyone in the group knows where they are going Plan your routes accordingly Another thing, I don't care who you are, or how tough you are, or how what movies you've seen- avoiding a problem is the best course of action If you go out looking for trouble, you are likely to find it Be safe Jack http://www.secuobs.com/revue/news/206125.shtmlhttp://www.secuobs.com/revue/news/206125.shtml Secuobs.com : 2010-03-22 11:15:26 - Uncommon Sense Security - That was fantastic But please remind me to leave more than ten days between these thing, OK Two more amazing BSides events have happened, first in San Francisco, then in AustinIMG_0858 San Francisco was a two day event, there is a lot of information of the event site, audio and video will be posted as volunteer time permits The talks were great, every one, and the second incarnation of the PCI Compliance panel we did at Shmoocon included a merchant and a QSA, with not surprisingly some strong opinions from the audience There are more details on all presentations on the talks page I have a photo set up in Flickr from BSides San Francisco IMG_1196Austin was a one day, less structured event, lining up with SXSWi, but not a traditional security conference- and there was very little crossing of the audiences We tried to downplay expectations, but ended up with great attendance and amazing content again- and we did it in a true unconference format, even using Open Spaces in one of the rooms for breakout sessions while having the other room set up for traditional presentation formats Links to audio and video are also being added to the site as they are posted I have photos and a IMG_1254few video clips of BSides Austin, including the amazing afterparty, Hackers on a Duck- an after-hours, grown-up version of the classic Duck Tour Now that I've had a week to recover, I am really looking forward to the upcoming BSides Boston event, if you want to join us there, please sign up at EventBright, and if you would like to speak, sign up on the talks page We will most likely do a hybrid model, some scheduled talks and some rooms setup for breakouts and impromptu conversations Jack http://www.secuobs.com/revue/news/203925.shtmlhttp://www.secuobs.com/revue/news/203925.shtml Secuobs.com : 2010-03-21 19:00:45 - Uncommon Sense Security - In my last post I shared some thoughts on Howard Schmidt and his new CyberThingie position I really wasn't clear on my burning bridges idea, and I need to correct that Adam Shostack gently pointed out shortcomings in the post, and helped me focus my thoughts- the clarifications follow To clarify what I meant in the earlier post- I think that Howard has no budget authority, and although he negotiated a significant improvement in how he reports up the ladder and who he reports to, he is still very limited in what he can accomplish directly Adam had some very constructive suggestions, I think pushing for transparency, and helping build publicize guidelines standards could actually make a difference But, I think he will run up against entrenched people who won't cooperate, and that's where a willingness to spend personal capital could be critical at least in the mind of this curmudgeon When persuasion and compromise fail, he has nothing to fall back on- except the fact that he can call people out, as publicly as necessary, and use all those contacts and connections he has built in his career to make it very uncomfortable to be a security obstructionist I don't think that is something he should undertake lightly, or regularly, but I do think setting a don't push him too far expectation could compensate for some of the weaknesses of his position I believe his situation, not needing the position, being able to go home and forget it all when he's done, could be empowering- he doesn't have to play the beltway clique games by the rules But, I don't think that is his style As I said, I hope I'm wrong, and I'm willing to help him prove me wrong This leaves the question of how he should distinguish between those who deserve to be called out because they really are a problem, and those who have not been convinced by his arguments Here I think Mr Schmidt can turn to some of his trusted contacts before acting, but this will always be a tricky balance Better Jack http://www.secuobs.com/revue/news/203818.shtmlhttp://www.secuobs.com/revue/news/203818.shtml Secuobs.com : 2010-03-15 05:21:51 - Uncommon Sense Security - I know I'm late to this party, but we have a new but not really Cyber-Something not czar tsar or anyone with authority to inflict papercuts much less beheadings , Howard Schmidt- and I have a few opinions to inflict, and an open letter of sorts to offer There were nice people who offered nice Open Letters to Mr Schmidt in the face of ugly cynicism about the appointment, including these from Adam Shostack and Chris Hoff Adam had some very good suggestions, and Hoff made a genuine and altruistic offer I just happen to think Howard Schmidt is not the right guy he could be, he has the credentials and experience, I just don't think he's going to move us forward He talks about InfoSec leadership from our paralyzed and dysfunctional federal government as being needed to solve the problems of private industry The phrase We're from the government, and we're here to help you has brought out the literal and figurative shotguns from concerned citizens throughout history, and in hindsight, that was often an under-reaction He talks about the relationships he's built and his experience He does not talk about the powerlessness of the position although he did improve this dramatically before accepting the job Largely missing is talk about transparency, and completely missing are direct challenges to those in the way of progress Schmidt has the connections to make some things happen- but more importantly he has connections he can burn if they get in his way That's what it will take to get power into this feeble position, a willingness to pick fights, even with old friends, and publicly call out the worst obstructionists Schmidt is in a unique position, he does not need this, he can go live happily on his mountain, maybe sit on some boards for entertainment- so a few burned bridges aren't career limiting for him With these things in mind, here's my open letter to Howard Schmidt, I really hope he has better things to do than read this nonsense, but Dear Mr Schmidt, I'm not sure you are really the best person for the job It is not that you aren't qualified, but I think you are unlikely to burn bridges that you have spent a lifetime building- unfortunately, calling out people who obstruct security is one of the few powers you have I hope I am wrong As a matter of fact, I so sincerely hope I'm wrong that if you ever get desperate enough to ask me for help, I will do whatever I can to help you prove me wrong I prove myself wrong regularly, I'm pretty good at that I'm not sure what skills I have to offer, but I'll try whatever you need I do have a talent for offending people which may be handy Your Humble Curmudgeon There, that's it Jack http://www.secuobs.com/revue/news/201586.shtmlhttp://www.secuobs.com/revue/news/201586.shtml Secuobs.com : 2010-03-01 07:09:08 - Uncommon Sense Security - Sure, I may have trashed the regulation and regulatory process, but it is still significant iStock_000006229191XSmallNot Earth-shattering, but significant, especially here in the US Not near as significant as it should be, but a starting point Massachusetts' MA 201 CMR 1700 data protection regulations are now in effect, and that is a huge step forward for the protection of personal information Breach disclosure laws are old news, but 201 CMR 1700 is different, it prescribes data protection specifics, and it is not limited to those in Massachusetts 201 CMR 1701 2 Scope The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth Yes, all persons which includes companies and organizations , regardless of where they are located, are covered if they Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment The standard interstate commerce laws cover out of state jurisdictional issues- being out of the state does not shield anyone This is a big deal, for two key reasons First, it is leading the way in state regulation of the protections of our data There have been other regulations about protection of data, but I believe this is ground breaking and will be followed by other states or at least watched from the sidelines with a bucket of popcorn and a cold beer Second, it has a very broad reach, it is not industry-specific, it applies to a large number of organizations which have never had regulatory requirements on their IT system before Specifically, it applies to Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof Oh, and don't get wound up about the government exclusion for Massachusetts, they are covered under Executive Order 504, which mandates similar protection of data for them This regulation can put a significant burden on businesses which do business with Mass residents and bother to comply , and I believe that small businesses face the biggest challenges Let's be honest, the burden is to do what they should already be doing, but are not that doesn't mean it will be easy Small businesses are the least likely to have dealt with regulation before except in specific regulated fields , and they are the least likely to have the knowledgeable personnel and financial resources required to comply Those organizations in the 40-200 user size are probably going to have the hardest time as they often do - they're too big for doing everything manually, and not big enough to justify the enterprise tools to help manage some of the tasks at hand It will be interesting to see where this goes, if anywhere I don't think most people in Massachusetts are aware of this, much less those outside of the state Jack http://www.secuobs.com/revue/news/196487.shtmlhttp://www.secuobs.com/revue/news/196487.shtml Secuobs.com : 2010-02-25 17:54:57 - Uncommon Sense Security - If you are headed to RSA next week, here are a few references you should check out Bill Brenner's RSA Conference 2010 4 Survival Tips over at CSO Online has good, practical advice including a nice plug for Security B-Sides San Francisco Tim Whitman's Remember, It's More Than Just The Show Floor on the Schwartz Communications blog And the team over at Securosis has done a pile of work putting together multiple guides to RSA, head over to their blog to find all the goodness I'll be at the Moscone occasionally, but most of my time will be spent over at pariSoma for B-Sides If you are wondering the conference hall, say hello to my co-workers from Astaro at booth 1855 Jack http://www.secuobs.com/revue/news/195594.shtmlhttp://www.secuobs.com/revue/news/195594.shtml Secuobs.com : 2010-02-20 18:39:21 - Uncommon Sense Security - This is exploding, as well it should, so I'll drop the story after this post and we can all follow it in the news- but there are a couple more things I'll point you to first Martin McKeay has a good post on his blog, and there's a fairly damning interview on a local TV station with the family involved After watching the interview, it is really hard to see how the school district comes out of this alive The Superintendent of Schools has a new statement up on their site, compare that to the family's statements in the interview Someone is flat out lying I don't know who, but for now the school district has not done a good job of earning my trust The school claims everything is logged, if that's true, why are the numbers changing Yesterday the schools said 28 laptops had been recovered with the software, today they say 18 Maybe they just suck at PR Alright, not maybe If you are competent, respectful of privacy, and have IT or educational experience, and are looking for your next job, I would suggest keeping an eye on this site http wwwlmsdorg sections about depart hr defaultphp m t departments p depart_hr_empop Jack http://www.secuobs.com/revue/news/193823.shtmlhttp://www.secuobs.com/revue/news/193823.shtml Secuobs.com : 2010-02-20 04:55:36 - Uncommon Sense Security - The Washington Post has an article with more details on SchoolSpyGate Looks like the FBI is investigating, and there are few more interesting tidbits- such as the cameras were activated 42 times in the past 14 months 2,300 laptops in the hands of students, 42 is about 2pourcents, not an outrageous number if the uses were indeed for missing laptops, and the school district says that 28 laptops were recovered through the monitoring system But the more I read about this mess, the more questions I have I am glad the FBI is involved, but I am not certain they will help us get the truth The FBI is tasked with investigating potential federal crimes, and that's what they're looking for- they aren't doing or authorized to do a full forensic investigation and analysis of the situation and how it got to this point, they are looking for evidence of specific crimes The good news is the FBI does have plenty of competent agents who can process the case without spoiling evidence for state and civil investigations There is also the danger that if the FBI says there is no evidence of a federal crime, that will give the school district cover for their behavior What a mess Jack http://www.secuobs.com/revue/news/193755.shtmlhttp://www.secuobs.com/revue/news/193755.shtml Secuobs.com : 2010-02-19 23:21:50 - Uncommon Sense Security - Additional information has been posted on ZDNet, from the article In an FAQ document, Dr Christopher McGinley, Superintendent of the Lower Merion School District, tried to clear the air The key points include The district has disabled the tracking system and won t reactivate it without permission The tracking feature was included on the roughly 1,800 Apple PCs provided to high school students And the tracking feature has only been used for the limited purpose of locating a lost, stolen or missing laptop The District has not used the tracking feature or web cam for any other purpose or in any other manner whatsoever And these messages are posted at the school district's web site http wwwlmsdorg sections news defaultphpm 0 t today p lmsd_anno id 1137 http wwwlmsdorg sections news defaultphpm 0 t today p lmsd_anno id 1138 So, we have some more information, but still a lot of unanswered questions- and maybe a bit of a contradiction The Superintendent claims that the monitoring software was never used for any purpose other than lost or stolen laptop recovery, but the suit alleges that an image from the laptop were used to prove a student's inappropriate behavior - so, how was the image captured and retrieved Did the student take incriminating photos of himself The Superintendent's letter states that This feature was only used for the narrow purpose of locating a lost, stolen or missing laptop If this is true, how about some stats to back that up- tell us how many systems have been reported missing and how many have been recovered by use of the system It may either prove a value of the system, or more likely in my opinion prove relatively useless, compounding the problem Let's see the logs, and I don't want to see them from the school district- an independent team needs to grab the data and audit it for the sake of transparency Jack http://www.secuobs.com/revue/news/193682.shtmlhttp://www.secuobs.com/revue/news/193682.shtml Secuobs.com : 2010-02-18 17:13:46 - Uncommon Sense Security - I get it, kids these days, they just can't be trusted Just like kids for all of eternity couldn't be trusted especially me So, do the best we can, set an example, hope for the best and deal with the worst Or maybe we should spy on the little guttersnipes, use technology to surreptitiously monitor them and take incriminating photos without informing them or their parents that it is happening Let's issue them bugged laptops and monitor them everywhere, even at home, even in their bedrooms, what a great idea So what if it is unconscionable and likely criminal OK, Jack, did they give you a Magic Mushroom Latte at Starbucks this morning Latest copy of Conspiracy Theory Digest just arrive Sadly, iStock_000002116200XSmallno- the Lower Merion School District PA has implemented just such a plan This boingboing article outlines the story and there is more detail in this Courthouse News article I think the administrators responsible are very lucky people- our current legal system is not allowed to deal with this kind of behavior appropriately, because nothing the law can do to these school administrators comes close to what a righteously outraged parent would like to do Jack http://www.secuobs.com/revue/news/193206.shtmlhttp://www.secuobs.com/revue/news/193206.shtml Secuobs.com : 2010-02-16 13:22:49 - Uncommon Sense Security - It has been a week, and I've almost recovered Shmoocon was great as it always is, in spite of a blizzard- something the DC area is not prepared to deal with The Shmoobus was another great adventure, many thanks to Astaro for sponsoring the RV again this year It was a real adventure trying to get home through the horrific streets of DC, and the total mess of the beltway and I-95 between DC and Baltimore- but I piloted the Shmoobus home with no physical scars to rig or riders Emotional scars are another story Travel with us through the magic of the Internet Shmoobus Tumblr My Flickr Set A Twitter Search There will be video at the Hacker News Network, but you are already watching HNN, right A good wrap-up of the con from Anton Chuvakin Our panel discussion was on Sunday morning Anton's thought on the panel and it was good, even if Josh Corman had to play the part of Max Headroom and come to us via video stream since he could not get to DC because of the Weather We had a lively discussion, and I am confident that everyone present disagreed with something said during the hour- and some good conversations were started from the panel I can tell you that black Shmooballs flying through a darkened room make moderating a panel much more interesting than it would otherwise be Thanks again to my co-conspirators Mike Dahn, Josh Corman, and Anton Chuvakin for making it possible Jack http://www.secuobs.com/revue/news/192273.shtmlhttp://www.secuobs.com/revue/news/192273.shtml Secuobs.com : 2010-02-14 22:47:56 - Uncommon Sense Security - This started life as a post to the Pauldotcom mailing list, but has morphed into a blog post because I think it is a topic we need to explore Larry Pesce wrote a good post over at fudsec, if your haven't read it, go now, and make sure you read the comments I think it is a good starting point for a conversation we need to have in InfoSec I generally line up with the detractors like Ranum in my skepticism of the value of user education, but I have tried many times anyway I almost always come back to Robert Heinlein's pig quote Never try to teach a pig to sing it wastes your time and it annoys the pig We do get some successes, but at what cost What else could we do with those resources that might yield better results An informed look at the education we give end users, and the reasons that they should reject the advice, is found in a paper Cormac Herley delivered last year I read it when it came out, and keep going back to it It isn't very long, but it isn't really a light read, either PDF is at http researchmicrosoftcom users cormac papers 2009 SoLongAndNoThankspdf You should notice that this is focused on the home user, not the corporate end user- that is on purpose, there just isn't enough data to extrapolate conclusions with the level of detail he wanted Herley has observed that end users in business are rejecting the advice anyway I do think the numbers have to shift significantly when we factor in the costs of breaches to organizations and the fact that many fraud protections offered to individuals do not apply to businesses My gut feeling is that rejecting a lot of security advice still makes economic sense, at least from the corporate end-user perspective, but the margins are slimmer There is also the issue of the true cost of breaches if I have a fraudulent charge on a card I am not out any money directly, but we're all paying double-digit interest rates on credit cards when the prime is below a percent, partly to cover fraud expenses yes, costs, profits, the burden of PCI, etc are also in there - and the price of goods includes an added margin to cover shrinkage theft, loss, fraud, etc We are all paying for the fraud, but the true costs are so obfuscated that we don't know what the real numbers are I'm not sure where we go from here, but I do believe we need to be able to honestly answer the question is it worth it before we hand out security advice and education, especially if it is the same stuff we've been saying for years I am sure that it makes sense to use this information to justify some lockdown of corporate assets if the users can't be relied on to protect the assets and arguably shouldn't have to , then we need to secure them before letting people loose to do their jobs As always, the balance is in enabling people to do their jobs without undue burden- but few people need unrestricted access to internal or Internet resources to do their jobs Jack http://www.secuobs.com/revue/news/191828.shtmlhttp://www.secuobs.com/revue/news/191828.shtml Secuobs.com : 2010-02-01 13:42:03 - Uncommon Sense Security - hourglass It looks like the last time OCABR said they really mean it this time about the last round of emasculations to Mass 201 CMR 1700, they really meant it Ready or not, it becomes effective on March 1, 2010 OK, poor phrasing there- let's say goes into effect instead, because I'm not that hopeful that it will actually be very effective If 201CMR1700 applies to you, I hope you are well on your way to complying, because you only have a month and a stubby little month at that to be compliant I do have one piece of advice, regardless of your current level of preparedness Do not be the test case, the first prosecuted Yeah, not really actionable , but bulletproof advice nonetheless Even if Massachusetts' Attorney General Martha Coakley hadn't just had her head handed to her in the Senate race it would be a bad idea But she did, and I bet she's bitter Do not get in her line of fire A second bit of advice, regardless of your current level of preparedness Re-read the regulations Another lame one, really- but important and easy I you are ready and sure you are compliant, this will make you more comfortable If you are getting there , it should help you focus your efforts If you haven't even started, it will help you find the ambition to polish up that resume Actually, the goal is to step back and make sure that you measure success against the correct benchmarks- before, during, and after the project Completing your compliance project and not being compliant isn't really success PDF of the regs http wwwmassgov Eoca docs idtheft 201CMR1700regpdf and of course you can ask the Blogger search box in the upper left or the Lijit search in the lower right of this page to show you a multitude of my posts on the topic Jack http://www.secuobs.com/revue/news/187278.shtmlhttp://www.secuobs.com/revue/news/187278.shtml Secuobs.com : 2010-01-31 21:47:23 - Uncommon Sense Security - Security B-Sides in Las Vegas and Mountain View were great successes, and there are more on the horizon If you are near or will bsidesbe near any of them, please join us B-Sides San Francisco will be held at pariSoma, 1436 Howard St at 10th in San Francisco on Tuesday and Wednesday March 2-3 Not coincidentally, there's some other security conference in San Francisco that week This will rock, the lineup looks fantastic already Thanks to all the sponsors, especially the folks at BigFix, who will be running their shuttle busses again this year- with B-Sides on the route, so transportation will be a breeze B-Sides Austin is just ten days later, on Saturday March 13 This will be during SXSW Interactive, so downtown venues were locked up- but we have a great venue not far from downtown at the Norris Conference Centers at 2525 West Anderson Lane We will have two adjacent rooms, and are working out details now Maybe more formal presentations in one room and panels discussions in the other Maybe some Cone of Silence sessions- where those who can't talk openly for one reason or another can talk openly with others, under NDA if necessary I know what you're thinking, NDAs at a B-Sides , but the idea is that there are a lot of people who would otherwise be shut out of the conversations- a little sharing is much better than none And this is only one of the ideas we have, so chill B-Sides Boston will be held on Saturday and Sunday, April 24-25, at Microsoft's New England R D facility in Cambridge That's the weekend after SOURCE Boston, so it will be a great time to expand on some great conversations and begin new ones As always, these will be free events but there will be a tip jar if you want to help And yes, more sponsors would be greatly appreciated- equipment rental, meeting space, and beer do not grow on trees But what we really want is help spreading the word, and for you to join us at the events These are community events, that means you- tell us what you want, and help make it happen Jack http://www.secuobs.com/revue/news/187091.shtmlhttp://www.secuobs.com/revue/news/187091.shtml Secuobs.com : 2010-01-11 00:07:38 - Uncommon Sense Security - Most people know, but I suppose I should make these things clear You probably don't actually want to read this, it will be pretty boring- but I feel compelled to CMA and make the following perfectly clear I am an employee of Astaro Corporation This blog is not their corporate blog, the opinions expressed here are mine, not those of my employer I occasionally contribute to their blog, and there may be some overlap in topics, I may even plagiarize myself occasionally I am not compensated by my employer for anything I say on this blog Nor am I compensated by anyone else for what I say on the blog I rarely comment on specific products, and when I do, what you read are my opinions, not influenced by any gratuities I am not shy about enjoying the company of vendors when they offer food, drink, entertainment, etc, but these never alter what I write about them, except for the occasional notes of thanks I am likely to thank sponsors of the events I'm involved in, and will continue to do so, without prejudicing anything else I may write about them I do a lot of things in the IT and security community My employer is supportive of this and provides assistance in a variety of ways, ranging from tolerance for my absence to paying me to participate, and providing sponsorship of events The sponsorship of events has included financial sponsorship of the events, as well as non-financial assistance logistical planning, use of equipment, etc I was very active in community events before joining Astaro, and should I leave Astaro I expect to remain active in the community I present and talk at a variety of meetings and events, sometimes as an employee of Astaro, sometimes not I try to make it clear which is which When I use terms such as sales weasel , or vendor shill , it is a hint that I'm probably on my own Free stuff The only things beyond the routine free vendor freebies I have received from my blogging are access to events, the following are the events I have attended free, but with no quid pro quo or other arrangements SOURCE Boston 2008 I received a complimentary press pass, and did write about the event for both this blog and the SOURCE blog I was so impressed with SOURCE that I worked as a volunteer for SOURCE Boston 2009, and expect to do so for 2010 I received free admission in exchange for this work RSA Conference USA 2008 and 2009 I received complimentary press passes both years, for which I am grateful to the RSA Conference They were one of the first to treat bloggers with respect and consideration, and they are to be applauded for this I did write posts on this blog about the RSA conferences and related events I also worked at the Astaro booth part-time during 2008 and 2009, during which time I was compensated as an employee I will not have the time to properly cover RSA 2010, out of respect for the conference's generosity I have not applied for press credentials this year I may purchase an expo pass to visit some vendors, and I may or may not write about it SC Magazine's World Congress 2008 I received a complimentary press pass, and did write about the event for this blog BlackHat USA 2009 and DefCon 17 I received complimentary press passes to both events I am grateful for the passes, but I was unable to participate in BlackHat or write about it adequately due to other, last minute commitments that week I am unlikely to apply for press passes for BlackHat events in the near future Due to schedule conflicts with Security B-Sides events it would be inappropriate for me to do so If they want to offer, however I expect to pay for DefCon Press credential this year Security B-Sides is not as clear cut, so I'll ask you to trust me on this one Astaro has and will sponsor B-Sides events They may or may not cover expenses for me, and may or may not pay me for my time while helping with events My time and labor may be considered part of Astaro's sponsorship of the events I will be as involved as possible, regardless of Astaro's role in the events B-Sides events are NOT Astaro events, they are community events- but my employers and I are supportive of community events, and we both, independently and together, support them Some people would call this synergy , but I hide from people like that and vice versa HEY Wake up I'm done with this tedious, but necessary post Any questions, just ask Jack http://www.secuobs.com/revue/news/180067.shtmlhttp://www.secuobs.com/revue/news/180067.shtml Secuobs.com : 2010-01-06 12:56:57 - Uncommon Sense Security - I have had a few conversations recently on the topic of getting security messages to a wider audience, and the pitfalls that may bring If we are too technical we lose the audience, if we generalize we may get called out by security pros for inaccurate or incomplete statements This will always be a balancing act, but there are a few things I believe will help These aren't original thoughts of mine, but I think they are good ideas which bear repeating First, there is a tendency to dumb-down content for non-technical people, and that is a mistake Presenting information in a concise, or even simple, manner if fine- but don't dumb it down I can describe the Internet as An interconnected mesh of networks and connecting links or A series of tubes The former is not perfect, but is simple and concise The latter is simple, and wrong Most of the people we need to reach aren't stupid, they just aren't security pros, so we need to educate them- while accepting that they don't want to be security pros, they just want to be safe The second idea is that we need to define ourselves and our audiences before crafting and delivering our messages I mean really stopping and thinking about our own background and perspectives, and then considering the audience's perspectives, goals, and expectations Imagine you are going to talk about Fast Flux and Double Flux 165k PDF , if you are a network security engineer for an ISP and are presenting to an audience of peers you can safely skip an explanation of DNS, and you need specific details and examples in your presentation, generalizations won't be welcome and errors won't be tolerated And if the presentation is good, many will ask you for copies of it so they can re-read and digest it later Now imagine you are trying to explain the same concepts to a local ISSA chapter, you'll need to review DNS for the less technical folks and you won't want as much detail, and no matter how good it is there won't be too many people asking for your deck If the audience is non-technical managers at work you will need to cover the basics and make very concise points you get one shot, and no one is going to ask for your slide deck here And if the target audience is the general public, we need a distilled and focused message Not stupid, not fear-mongering, no lies But maybe a generalization, an anecdote, a story- as long as they are honest No matter who we are trying to engage, we need to understand our own perspective and we need to know our audience- and if there is a chance of confusion, we should make things clear I'm not suggesting we need to preface everything with an explicit intended audience disclaimer, but sometimes it would be a good idea Go forth and enlighten the masses Jack http://www.secuobs.com/revue/news/178734.shtmlhttp://www.secuobs.com/revue/news/178734.shtml Secuobs.com : 2010-01-04 01:13:06 - Uncommon Sense Security - There will be another ShmooBus, leaving the Boston area on Thursday morning, February 4, arriving in Washington, DC in the evening Return will leave DC on Sunday afternoon, getting to the Boston areawhenever we get there It looks like we'll have some repeat riders, and new faces Space is limited, but if you are interested in joining us let me know- email jdaniel in care of my corporate overlords at Astarocom Astaro has kindly agreed to sponsor the ShmooBus again this year Jack http://www.secuobs.com/revue/news/177718.shtmlhttp://www.secuobs.com/revue/news/177718.shtml Secuobs.com : 2009-12-24 19:04:40 - Uncommon Sense Security - I will be joining some very smart folks for a panel on PCI at Shmoocon next year Yes, PCI at a hacker con No, not a Pointy-Haired-Boss type presentation, but a panel discussion of PCI and its impact on our industry This is part of a larger effort to bring compliance issues to a broader audience, focused on PCI but with insights into the larger compliance realm- look for more presentations and some podcasts in the new year In this panel I will be joining Michael Dahn, Dr Anton Chuvakin, and Joshua Corman to discuss everything from the origins of PCI through its unintended consequences and speculation about the future of PCI The abstract for this session Whether you love it, hate it, or are merely friends with perks - compliance is significantly changing what we call security PCI has been accused of being the Spawn of Satan by some, and yet it has also been credited with advancing security by others This panel of PCI experts, analysts, and victims will discuss and argue the realities of PCI its origins, goals, and consequences intentional and otherwise PCI is having an impact on priorities, budgets, and personnel, which is being felt throughout the security industry Unfortunately, there have been few informed discussions of PCI and compliance issues in the technical ranks of the security community This panel will bring PCI subject matter experts with real-world experience to the technical security professional and hacker audience to discuss, engage, enrage, and argue about what may well be an existential threat to information security as we know it The diverse viewpoints and experiences of panel members will guarantee a lively and often heated discussion, and will provide a broad base for fielding audience comments, questions, and criticisms Bring plenty of Shmooballs to this session, you will need all you can get As far as Shmoocon in general- Yes, there will be a Shmoobus Maybe more than one There will be great talks, great people, much hilarity, etc I hope to see you there Jack http://www.secuobs.com/revue/news/175635.shtmlhttp://www.secuobs.com/revue/news/175635.shtml Secuobs.com : 2009-12-01 23:23:00 - Uncommon Sense Security - The US-CERT issued a bunch of new notices today And one is BS Not complete BS, there is a real problem with the way SOME web-based SSL VPNs break cross-domain security I have three primary problems with this, starting with the title, Clientless SSL VPN products break web browser domain-based security models Of course, there is no such thing as a clientless VPN, there are just systems which install the VPN client in your browser sometimes without user interaction , and a few just use the browser itself as the client Most of what I see called clientless are actually installing a ActiveX, Java, or other client in the browser Clientless VPN is a nonsensical marketing term which has no place in a technical discussion Next problem, the list of affected systems includes systems which are clearly not affected- and while their status is listed as unknown , the implication is that they may be vulnerable For the amount of vetting that went into the list, they could have included Microsoft Word and listed it as unknown status For example, OpenVPN is listed, but it is an installed application, not web-based- and unless they have completely butchered the description there is no way OpenVPN is vulnerable to this Also entertaining is the listing of several Linux distributions, most tagged as unknown status, with the notable exception of Red Hat, which is listed as Not Vulnerable Odd they would commit, or even list OSes given the multitude of VPNs which can be configured on a Linux Wait, not odd, useless and misleading Finally, and most critically, by the time we've peeled back the obvious mistakes and fluff, the full nature and extent of the vulnerability is not clear After a bit of de-obfuscation and digging, you can probably figure it out Silly me, I thought that was what CERT was supposed to do for us when they issued these notices There are two posts on the topic over at Securosis that are worth a read, the first post isn't great, but the comments are The second one is a good clarification of the first Jack http://www.secuobs.com/revue/news/167475.shtmlhttp://www.secuobs.com/revue/news/167475.shtml Secuobs.com : 2009-11-30 19:56:47 - Uncommon Sense Security - Shortly after uploading my last post I realized I was wrong about money losing its voice It isn't losing its voice, it is just hoarse from screaming It also seems to be gaining an Asian accent Jack http://www.secuobs.com/revue/news/166843.shtmlhttp://www.secuobs.com/revue/news/166843.shtml Secuobs.com : 2009-11-28 04:55:08 - Uncommon Sense Security - I had a great conversation with Nick Selby this afternoon, and one of the many topics we discussed was triggered by a couple of his recent blog posts about critical infrastructure- one touching on the 60 Minutes piece hack-job and another on Fudsec about where the risk should be placed At first, I was really wound up about Nick's post on the 60 Minutes piece because he seemed to be excusing sloppy journalism because the value of reaching a wider audience outweighed the problems of questionable reporting Part of my reaction was certainly due to my contempt for 60 Minutes, I feel that that they don't do investigative journalism, they are what is wrong with investigative journalism on television The fact that 60 Minutes is generally less horrible than anything else in genre is not comforting In case you somehow missed it, there was quite a bit of furor over 60 Minutes' claim that a Brazilian blackout was caused by hackers Robert Graham had a pretty terse post about this on the Errata Blog, and Rich Mogull did a good job of providing a balanced perspective My take on the 60 Minutes bit is that investigative reporting should investigate, and do so with a significant dose of skepticism, and report findings honestly I also think that we as the audience have a responsibility to be skeptical of the reporting 60 Minutes' hacker claim could not be backed up conclusively at least not publicly and on the record , so I believe they should have been honest about that instead of going for the hype If they had said something like There are some conflicting reports as to the true cause of the outage, but we have high confidence in our sources What may be more troubling than the actual cause of the outage is the fact these systems are so vulnerable to so many attacks, and so poorly monitored and regulated, that even after a major outage the true cause cannot be determined conclusively I would have been happy with that But, that isn't a sexy soundbite Oh, well, it is television I thought Nick's post on the Fudsec blog was good, but it included a fairly flip comment about the ease of mitigating the Aurora vulnerability 585k PDF , which triggered objections Nick clarified his position on this in a comment to his post The central idea of the post is an interesting one- that getting customers mad at the negligent utilities and demanding improvements is the way to address the problem of vulnerable private critical infrastructure I am not sure how likely that is to happen, but that is the capitalist way to do it, and money talks although it has nearly lost its voice of late Where does this leave us Nick has made some very good points, and I think he has hit a fundamental problem in trying to get the word out to a larger audience than those of us in the security world how to simplify the issues into concise and understandable language NOT dumbed down so that non-professionals can understand it, while not running afoul of appropriately detail-oriented, accuracy-demanding professionals This has to get sorted out, too much effort in the security community is spent in navel-gazing, chest-beating, choir-preaching, and other hyphenated silliness We need to engage and educate people outside our community if we are going to make real progress Jack http://www.secuobs.com/revue/news/165930.shtmlhttp://www.secuobs.com/revue/news/165930.shtml Secuobs.com : 2009-11-23 14:28:08 - Uncommon Sense Security - This set of ideas just won't die, no matter how wrong they areDeceased IT IT will be completely commoditized IT will be just another utility, like power and water And my favorite IT is dead We've heard this idiocy from a variety of smart people, including Nicholas Carr and even The Bruce, and there is some truth to it- some parts of IT are becoming commodities, and IT is certainly evolving Some people have extrapolated these ideas into saying that careers in IT are dead-ends Now I've got nothing against the judicious use of hype and hyperbole to make a point, but these ideas fall apart pretty quickly under a little scrutiny As far as death of the careers, these lies aren't even true for actual utilities such as power and water Let's start with commodity- it is certainly true that in IT you can often get similar services from a multitude of sources, but the commodity utility analog only goes so far For one thing, utilities usually offer little or no choice your water company is the only game in town, unless you dig a hole in the yard Other utilities do have some competition, but the x company is often responsible for last mile connectivity regardless of who you send the check to each month Turning to the product- when I turn the knob on the faucet I get water when my neighbor turns on her faucet she gets water, too- and it is the same water for the entire area, and whoever needs it, gets it Same goes for electricity, natural gas, etc Sure, there are a couple of different pressure voltage flow options, but it is all just increments of the same thing And as far as electricity, it is crap You'll outsource your network the way you outsource electricity Except NO ONE with a need for stable and reliable electricity outsources it completely- what comes off the wire is garbage, we have to use a variety of devices, from UPSes to power conditioners to have any faith in what comes out of the wall Oh, and I don't suppose you've noticed the booming sale of generators to businesses large and small and to homeowners - that's because the commodity is not good enough and not reliable enough to trust I hear the arguments, but Jack, my phone is MY number , and that is true, but it is still the same capability set with a little personalization Cable TV falls into this category, your whole neighborhood gets a set of available features, if you want something unique, you get lots of practice at wanting , because you aren't getting it The phone company does offer a lot more than POTS lines these days, but they need a lot of people to do it- and you need people to take their services from the demarc point to something useful Moving on to the is dead or is irrelevant nonsense Starting with the obvious if everyone doesn't generate their own electricity, but instead buys it the electric company has to hire a buttload of electricians and engineers to make this work The task is not dead , it just moved As we move beyond that, answer this if something is dead or irrelevant once it is a commoditized utility , can you explain why you see so many plumbers and electricians on your daily commute Because things go wrong Because it has to be installed Because if you get a one size fits all commodity, someone has to make it fit for you Because someone has to get the various commodities where they are needed and to keep them from leaking into unwanted places Let's not overlook all the plumbers and electricians you don't see, the ones who go to work at the same site every day- plants, retail facilities, hotels, and so on They have careers in spite of working with utilities Some have jobs because of the utilities' poor quality and service Part of this flawed mindset is human nature, at least the nature of humans who aren't curious or observant- if someone else does something for me, it is automatic, and I can ignore automatic things Until they fail and I'm screwed because I don't know how it works, so I can't even figure out the right person to call Here, we're actually on to something, because that describes a lot of what we deal with in IT As mentioned earlier, IT is evolving, and some things are being commoditized Cloud computing, whatever that means , is a great example of this Unfortunately, there is a lot of confusion about cloud computing, and even more misinformation It will eventually get worked out, but for now, I like being on the sidelines of the cloud game The dead-end career talk about IT is, however, absolutely accurate- if you aren't ready, willing, and able to work in an evolving environment On the other hand, if you are working to keep up with your industry and looking ahead, you are probably as safe as anyone in this volatile global economy I actually have a grasp on cloud terminology, but it is not my focus If you want to know about cloud computing issues you are already a reader of Hoff's blog, or you should be You may have noticed I didn't mention anything about the impact of commoditization on security, or security's impact on commoditization That is a set of discussions for another time, but for now let's just go with What could possibly go wrong Jack http://www.secuobs.com/revue/news/164063.shtmlhttp://www.secuobs.com/revue/news/164063.shtml Secuobs.com : 2009-11-21 22:19:38 - Uncommon Sense Security - Always accurate, insightful, and irreverent, there's another great post over on the Layer 8 blog, this time taking aim at the security metrics landscape The meaning of metrics has a great take on metrics, and really separates reality from navel-gazing It also provides some memorable quips and quotes I especially like Keep applying the so what criterion to your metrics and words to live by Don t be a metrics wanker Jack http://www.secuobs.com/revue/news/163836.shtmlhttp://www.secuobs.com/revue/news/163836.shtml Secuobs.com : 2009-11-16 06:05:42 - Uncommon Sense Security - Those nice folks who give money to your company, you know, the customers- whose customers are they Are they the company's customers, or the salesman's Or a bit of both Maybe it is more complicated than that, if your company sells through partners agents resellers- now whose customers are they And the tricky bit- you aren't trying to secure customer data without everyone involved understanding, and agreeing on, whose customers they are, and who is responsible for the data, are you That would be waste of time, wouldn't it If you are new at this, especially if you only see it from an information security perspective, this may seem fairly simple It isn't Salesmen real salesmen, as opposed to people who just sell stuff always have their Rolodex with their customers in it That's part of what you get when you hire a salesman, access to their customer base- and the salesman takes it with them when they go The salesman's right to take their customer list with them was supposedly codified in law in some states, but regardless of law, the practice has been universal And now we have breach disclosure and data protection regulations preventing customer information from leaking , so that magically stops, salesmen readily surrender their livelihoods without a battle to a salesman, their customer list is their livelihood, make no mistake about that , and we're covered And those jurisdictions which codified the salesmen's rights to their customers, I'm sure they updated their laws to reconcile the conflicts between the various laws and regulations protecting the salesmen's rights and the customer's data No state would leave businesses stuck between contradictory laws, twisting in the wind Things like that just don't happen I would like to offer a simple answer, but this is another one where lawyers most likely need to be consulted, the problems discussed, policies drafted, etc The critical part will be making sure everyone involved knows and understands what the policies are, what legal implications drove the policies, and how the policies will be enforced And then the policies must be enforced I do have a few ideas about this- Social Security, credit card, or other account numbers need to be expressly prohibited from entering or leaving via the Rolodex No brainer, but needs to be clear to all involved If any information is allowed to enter the company via the Rolodex , it is only fair to allow it to leave that way If it can't leave, don't let it come in If it comes in, it came from somewhere else where they are fighting the same battle The data is going to leave anyway Deal with it Really, deal with it Everyone has to know what is and is not allowed Steps need to be taken to control and monitor data This doesn't excuse the company from doing the right thing whenever possible- but the nature of people, especially salespeople, must be taken into account So, whose customers are they And who is responsible for their data Jack IMAGE http://www.secuobs.com/revue/news/161075.shtmlhttp://www.secuobs.com/revue/news/161075.shtml Secuobs.com : 2009-11-03 04:48:18 - Uncommon Sense Security - What are the differences between this version of 201 CMR 1700 and the version issued in February of 2009 There are some important differences in the two versions First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC's Safeguards Rule A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business' size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information Second, a number of specific provisions required to be included in a business s written information security program have been removed from the regulation and will be used as a form of guidance only Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements Fourth, the third party vendor requirements have been changed to be consistent with Federal law To whom does this regulation apply The regulation applies to those engaged in commerce More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment The regulation does not apply, however, to natural persons who are not in commerce Does 201 CMR 1700 apply to municipalities No 201 CMR 1701 specifically excludes from the definition of person any agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof Consequently, the regulation does not apply to municipalities Must my information security program be in writing Yes, your information security program must be in writing The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information What about the computer security requirements of 201 CMR 1700 All of the computer security provisions apply to a business if they are technically feasible The standard of technical feasibility takes reasonableness into account See definition of technically feasible below The computer security provisions in 1704 should be construed in accordance with the risk-based approach of the regulation Does the regulation require encryption of portable devices Yes The regulation requires encryption of portable devices where it is reasonable and technically feasible The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies Do all portable devices have to be encrypted No Only those portable devices that contain personal information of customers or employees and only where technically feasible The technical feasibility language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices There is, however, technology available to encrypt laptops Must I encrypt my backup tapes You must encrypt backup tapes on a prospective basis However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt ie the tape allows it then you must do so prior to the transfer If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards What does technically feasible mean Technically feasible means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used Must I encrypt my email if it contains personal information If it is not technically feasible to do so, then no However, you should implement best practices by not sending unencrypted personal information in an email There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information The third party service provider provision in 201 CMR 1700 is modeled after the third party vendor provision in the FTC s Safeguards Rule I have a small business with ten employees Besides my employee data, I do not store any other personal information What are my obligations The regulation adopts a risk-based approach to information security A risk-based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business's size, scope of business, amount of resources and the need for security For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room You should permit access to only those who require it for official duties Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent If you have a large volume of customer data containing personal information, then your approach would be even more stringent Except for swiping credit cards, I do not retain or store any of the personal information of my customers What is my obligation with respect to 201 CMR 1700 If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry PCI standards However, if you have employees, see the previous question Does 201 CMR 1700 set a maximum period of time in which I can hold onto retain documents containing personal information No That is a business decision you must make However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose You should also limit access to those persons who are reasonably required to know such information Do I have to do an inventory of all my paper and electronic records No, you do not have to inventory your records However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information How much employee training do I need to do There is no basic standard here You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulation What is a financial account A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result Examples of a financial account are checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account Does an insurance policy number qualify as a financial account number An insurance policy number qualifies as a financial account number if it grants access to a person s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets I am an attorney Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 1700 If you own or license personal information, you must comply with 201 CMR 1700 regardless of privileged or confidential communications You must take steps outlined in 201 CMR 1700 to protect the personal information taking into account your size, scope, resources, and need for security I already comply with HIPAA Must I comply with 201 CMR 1700 as well Yes If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 1700, even if you already comply with HIPAA What is the extent of my monitoring obligation The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license It will also depend on the form in which the information is kept and stored Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use Is everyone s level of compliance going to be judged by the same standard Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality This will be judged on a case by case basis IMAGE http://www.secuobs.com/revue/news/156484.shtmlhttp://www.secuobs.com/revue/news/156484.shtml Secuobs.com : 2009-11-03 04:48:18 - Uncommon Sense Security - I know, that cool Podcastcom widget over there needs an update I tried that, but they are having technical difficulties at Podcastcom right now I'll be adding Exotic Liability, Threatpost podcasts, and others, with some details soon- if they get the widget fixed If not, I'll swap it out for a different widget While you're waiting, head over to Pauldotcom and listen to me humiliate myself and several others on their Halloween episode Not or the faint of heart, easily offended, or anyone burdened by a sense of decorum The remaining parts of the podcast were great, tech segments, juvenile yet informative banter, etc Jack IMAGE http://www.secuobs.com/revue/news/156483.shtmlhttp://www.secuobs.com/revue/news/156483.shtml