Results tagged “infosec”

ShmooCon 2011 After-Report

I don't attend many hacker cons because, quite frankly, I'm not really the hacker type. No, no... it's true... I'm more of the corporate wonk type with a penchant for strategy, architecture, policies, and the like... all important things in infosec, but things that are not generally featured or of interest to hacker cons. Nonetheless, I go, hoping against hope that I'll see something interesting and that at least a couple talks won't be so poorly constructed or delivered that I'll either flee or fall asleep.

For this year's hacker con adventure I opted to attend ShmooCon, which I think I'll now add to the annual schedule (especially given the low cost and easy proximity). It was a decent experience with the requisite number of "omg we're so screwed" moments, coupled with all the social attributes necessary to make the event fun. I learned a few things, but mostly have ideas for the future. As is typical of my previous experiences attending a specific con for the first time, I know that my next attendance of the con will be better because I'll know the ropes a bit and have my expectations better adjusted.

So, without further adieu...

What's the Point of Conferences?

The 2011 security conference season is upon us, with Black Hat DC already fading in the rear-view mirror. As I embark upon a busy couple months, I can help but reflect a bit on what is to come and question the value (perceived and real) of all this hoopla. Sure, I love getting the chance to travel a bit and catch-up with friends whom I typically only see at these events, but beyond the social aspect, what's the value of the security conference?

If you haven't read the Threatpost article "U.S. Needs Cybersecurity Skunk Works, Expert Says" yet, then take a minute to do so. Go ahead, I'll wait.

Ok, back? Cool...

I have 3 responses to this article:
1) A "think tank" could be interesting, especially if implemented using the same biz model as In-Q-Tel uses.
2) If done, the government cannot be in charge of it in any way, shape, or form. Participate? Sure, but not in charge. Otherwise, it would be a complete, abject failure.
3) "policy makers and security experts don't even know which questions to ask, let alone what the correct answers are" - Ummm, well, let's see... sure, policy makers are clueless, but perhaps he's not talking to the right "security experts," because I'd like to think a number of us actually know the right questions...

Overall, I'm unsurprised by the lack of clue, but am still a bit disappointed. And this was the keynote speaker for Black Hat DC today. Oh, well...

Added bonus quote: "a wonk-geek coalition" - seriously? *rolls eyes*

How Does This Add Value?

This question, in short, summarizes my theme for the year. In chatting with a friend of mine a couple weeks ago (see his article "Move your security career forward by looking back") it occurred to me that I need to look back at what I've been doing and think about how I'm adding value. My short conclusion is that there's very little true value to be found in much of what I've done of late. Sure, my customers are happy, we've completed projects, and we've kept other projects moving forward, but to what end? In all the hustle and bustle of things, are we really make a measurable difference? And, as my friend Erin used to tell me back in my brief hay-day as a security director, all the theory in the world doesn't mean much if you can't actually show what you've done.

Overall, I'm coming to believe that we've worked ourselves into a corner. We have great movements like Security B-Sides, but at the same time it seems like we're just talking loudly in the echo chamber. What are we doing to reach outside the community to, ya know, the people who actually need to do a better job with security? While I think there's potential value in revolutionizing the security industry, it only makes sense to do this if it helps us achieve our goals outside the industry.

The Holiday Blur...

With humblest apologies, I don't envision having any substantive posts to share through the end of the year. Perhaps I'll be inspired sometime in the next week, but I don't view that as an assured thing. Mostly I'm just cold these days. :) Since I hate to leave you, my loyal reader, with nothing to read or think about, I'll provide a couple thoughts for discussion:

1) Time "Person of the Year" 2010 - Mark Zuckerberg - Discuss and describe how "Facebook has merged with the social fabric of American life, and not just American but human life..."

2) What would your reaction be if it was definitively proven that the U.S. Government was behind Stuxnet? What would your reaction be if it was, instead, China?

3) ExploitHub is selling exploits for profit. Discuss pros/cons of the business model. For extra credit: represent the perspectives of foreign organizations (governmental and *ahem* non-governmental).

4) WikiLeaks - Should we care? Does it change anything? (references: STRAFOR: Taking Stock of WikiLeaks and Arbor Networks: "The Internet Goes to War")

5) What lessons should we really learn from Gawker? (references: "Lessons Learned From the Gawker Hack" and "The Gawker hack: how a million passwords were lost")

You Can't Solve What's Undefined

It's all over the news, whether we're talking about the TSA and "security theater" or Wikileaks and the sensitive data spewing out of government, business, and academia (there's a certain irony here, btw, insomuch as much of this data has likely been captured previously). There are "security problems" and they must be solved! Unfortunately, these "solutions" tend to be nothing remotely associated with the actual core problems. Instead, we end up with half-baked ideas that do no real good, or draconian laws that do more harm than good.

At the heart of the matter is one simple challenge: More often than not, leaders "solve" problems that are at best ill-defined. How many billions of dollars are being wasted each year on "solutions" that end up costing organizations more money, whether it be in maintaining the solution, or having to revamp business processes to fit the solution (instead of the other way around), or simply in going through the heartbreak of investing in a technology (*cough*naked scanners*cough*) that wasn't needed in the first place.

Step 1: Start with a top-notch planning team.
Step 2: Find an outstanding venue.
Step 3: Find enthusiastic and generous sponsors.
Step 4: Develop a strong slate of speakers.
Step 5: Deliver on its awesomeness.

In the case of #BSidesOttawa, this is now "mission accomplished" thanks to the outstanding efforts of Justin Foster, Peter Hillier, and Andrew Hay (plus a few others whose names I'm remiss in forgetting). As a co-conspirator in #BSidesAustin, I greatly appreciate the amount of effort that goes into planning for a conference. The guys in Ottawa definitely knocked this one out of the park! It's looking favorable that this will trigger a handful of BSides events through the country, which I personally think is outstanding.

This post is a wee bit delayed thanks in large part to workload and the American Thanksgiving holiday. That being said, I think it's high time to cover some of my personal highlights from the inaugural #BSidesOttawa event...

The Great TSA Debacle: Groping for Success

There's been a veritable metric ton of coverage this past week over the TSA and their ham-fisted approach to security. This week's controversy is around the combination of back-scatter X-Ray scans and the introduction of "enhanced" pat-down techniques that, in some states, literally amounts to definitive sexual battery. There are an increasing number of anecdotes from people about abuses of the system, and a whole lot of attention placed on privacy issues. I'll provide some thoughts on those aspects, but before I did so, I want to hit what I think is the #1 reason why I think the TSA is wholly deficient in the area of airport security.

First, a word on terrorism: By abandoning the principles upon which this country is founded, and which make the US unique and special, the terrorists have won. Every time the bureaucratic geniuses here in DC make another idiotic and irrefutably clueless decisions like this latest round of lunacy, the objectives of the terrorists are achieved in ways the terrorists could have never accomplished on their own. It is our patriotic duty to refuse to be terrorized (!

I've been mulling over writing a "cyber war" piece for several months - ever since Bejtlich started a series of posts last July on the topic, coupled with my reading of Richard Clarke's book, Cyber War. However, I've held off, mainly because I've been somewhat on the fence with the whole topic. On the one hand, yes, nation-states are conducting operations online, though they primarily fall under the heading of "espionage" and are not "attacks" per se. On the other hand, we have some suspicious situations (e.g., Georgia, Estonia, Google's "Operation Aurora," Stuxnet, Israel's bombing of the Syrian nuclear facility) that seem to clearly lean in the direction of being "cyber warfare" (or, offensive) operations.

Part of the problem I face in thinking about this topic is trying to separate the FUD-driven rhetoric from the realities of the current threat landscape. Those generals and politicians (one in the same?) behind the creation of the US Cyber Command provide a good example of hype and noise intended to generate false concern in order to further a clearly political agenda: formation and funding of Cyber Command. Ironically, all of this FUD highlights what is a clear problem: that the US Military is largely focused on offensive operations, neglecting the home front where we're most vulnerable (see my prior post "Missing the "Defense" In DoD?").

Consumer Computers: The Weakest Link?

There's a new consumer-oriented report out from NSS Labs today, and it's more of the same-old-same-old. Unsurprising, AV suites are not silver bullets, nor are they perfect. Perhaps a bit disturbing is how poor many are at detecting known malware, but it's also a wee bit disconcerting that many claim to stop known exploits and yet seem to fail miserably. Per the report, the average lame criminal has about a 10% chance of being successful with a web malware exploit, and around a 1 in 4 chance of running an exploit past these security tools.

None of us should find this terribly surprising. AV suites are just one piece out of the overall self-protection puzzle. Other key components include regular OS patching, use of host-based firewalls, and use of additional security tools, such as IE8's SmartScreen filtering technology. For that matter, Google's safe search capability helps supplement your own consumer security.

There Is No "Win"

spoon.jpgTraditional rules of engagement suggest a winner and a loser at the end of a conflict. Of course, in the modern era, having seen the stalemate in Korea and Vietnam, we know that sometimes there's a third option that rests between "win" and "lose." Sometimes compromise is the best path forward. In other cases, you simply need to redefine the game to a more favorable outlook that allows you to see things for what they are. As the late, great Grandmaster Helio Gracie once said in his advanced age: he may not beat you, but you'll definitely never beat him. Sometimes surviving attack is a far greater victory than any other option.

In infosec, this is our problem today. Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%). This outdated mindset is also rather naive in that it assumes that your defensive capabilities can outweigh any adversary, as if our IT budgets are bottomless.

Reflections on EnergySec Summit 2010

It's taken me a couple weeks to get this note out, but better late than never, right? I had the opportunity to attend the 6th EnergySec Summit in Denver, CO, a couple weeks ago. EnergySec was interesting in that it brought together people from all levels of the business, along with vendors, regulators, and consultants. It was great to meet a lot of people, and even better to start gaining a better understanding of the problems facing this industry.

Perhaps the most striking impression I had in walking out of the Summit was just how crushed (and paralyzed) the industry is as a result of well-intentioned, misguided regulations. If you think that PCI is challenging, then multiple it by a million, and be sure to introduce a number of contradictory and incompatible requirements. That seems to be where this sector is today, which is a bit troubling considering just how vital it is to our very existence.

You might have noticed an article yesterday on CSO Online titled "Akamai releases 'game changing' cloud-based payment service" and wondered "that's interesting - I wonder what it all means?" That was certainly the case for me and, I have to say, I'm a little disappointed now that I've gotten under the hood a bit.

Before I go any further, let me be clear on something up front: I think this technology is a good thing, I think what Akamai is doing is laudable, and I hope that merchants make use of the solution. I've been saying for a couple years now that part of the "solution" to PCI compliance concerns is to simply get cardholder data out of merchants' hands. This solution helps accomplish that goal. However, it's no panacea, and we need to be cautious how much hope we place in it.

Building "Blue" Software Ecosystems

I had the opportunity a couple weeks ago to attend the OWASP AppSec USA 2010 conference in Irvine, CA (this post would have gone up last week, but my laptop hdd died while on travel). Unlike some of the larger conferences, AppSecUS was a much more intimate affair with only a few hundred attendees. These types of conferences can be a lot of fun as they lend themselves more naturally to open discourse, sharing of experiences, and the building of community. This event did not disappoint.

There were a couple keynotes that particularly captured my attention. The first was by Jeff Williams, head of Aspect Security and President of OWASP. In it he spoke about the need for building-in security frameworks and enablers as part of our software ecosystem. The other talk that I found particularly interesting was by David Rice in which he used the analogy of the anti-pollution movement, along with relatively new thinking about sustainability and the new notion of "going blue" that was introduced by Adam Werbach. Putting these concepts together, and then mixing it in during ensuring hallwaycon discussions raised some interesting notions in my mind.

Missing the "Defense" In DoD?

As I finished reading Richard Clarke's book, Cyber War (see Bejtlich's notes on it), this weekend a thought occurred to me based on one of his consistently reiterated points: the Department of Defense seems to be a misnomer, if not an oxymoron. That is, when you think about it, the US DoD doesn't seem to be oriented so much toward "defense" as "offense." This point is not lost on Clarke, who talks about how the American military is ill-prepared and ill-positioned for defending the homeland from cyber-attack. Even worse, the so-called Department of Homeland Security isn't apparently chartered to deal with defending the homeland either so much as it is with protecting government networks, at least in the cyber sense of things (obviously Border Patrol, TSA, and the Coast Guard, among others, are charged with physical protection).

It seems to me that this problem represents a need for a paradigm shift. This is not to say that I think we should charter traditional military functions for operating within our borders, but that we need to rethink our military approach altogether. In part, I think that one of the key failing points in our current cultural and institutional mindsets is that we are too focused on offense and lack any sort of real or necessary competence around defense, resiliency, and self-preservation (note: I've written about self-preservation in the past).

Approaching the Problem Backwards

I've read recently, with much interest, a post by Martin McKeay about how he would redesign the PCI framework, as well as an in-depth summary from InfoLawGroup about the most recent entry into the draft legislation pool on security and breach notification. The more I think about this notion of creating standards and laws that spell out certain requirements, the more I think we've gotten it completely backwards. It actually makes me nervous when a regulation goes into such extensive detail, a la PCI DSS, that it tells organizations exactly what they need to do, as if one could possibly say universally what is most appropriate for every organization in their context with their own unique risk profile.

As further evidence that I think we've approach things from the wrong perspective, consider Seth Godin's recent post, "Resilience and the incredible power of slow change," in which he says:

"Cultural shifts create long terms evolutionary changes. Cultural shifts, changes in habits, technologies that slowly obsolete a product or a system are the ones that change our lives. Watch for shifts in systems and processes and expectations. That's what makes change, not big events."
He's absolutely hit the nail on the head here. What we need is a culture shift, not some lightning bolt from heaven that suddenly forces a massive corrective action. We're all living with institutional inertia that greatly limits our ability to chart instantaneous course corrections. Instead of mandating long lists of penny-ante requirements, we instead need requirements that will start initiating cultural shifts. In this regard, if PCI DSS 2.0 actually contained a meaningful rewrite, then I would think the new 3-year release cycle would be ok.

Cyber War and the Value of FUD

Please Note: This article is cross-posted from

I've been reading Richard Clarke's latest book, Cyber War, in an effort to delve deeper into the topic. Maybe it's been all the recent inflammatory rhetoric, or maybe it's an earnest interest, or maybe - just maybe - it comes from an innate interest in fighting obtuse uses and abuses of FUD.

The tone of the book initially is far less FUD-y than one might expect. Some of the tech details are clearly off a bit, but overall it's been surprisingly level-headed. Except for the scenarios. These are some of the most over-the-top scenarios I've seen since "digital Pearl Harbor" in 2000. However, in this case it gives me pause, and not just because of the glaring FUD factor.

Our good friends at NSS Labs have released a new report today independently evaluating the effectiveness of Host Intrusion Prevention Services (HIPS) that are integrated into most mainstream security suites. In this go-round, they've evaluated solutions from AVG, ESET, F-Secure, Kaspersky, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro. As with previous reports I've reviewed (see AV/malware here and IPS here), this report provides a very thorough look at the capabilities of these product suites.

A Stroll Down Amnesia Lane

I was cleaning out some old boxes of "stuff" from days gone by and ran into a hard copy of a presentation that I delivered as part of the interview process at CERT/SEI in Pittsburgh back in 1998. At the time, I had been very hopeful to get a job at CERT as they were doing security work that I simply wasn't seeing in the private sector (at least, not in the Midwest). Alas, it didn't work out, but I digress...

What jumped out at me about this presentation is that, in 12+ years, nothing has changed! The same arguments I made back then about needing to be proactive with security, working to integrate it into all aspects of the business in order to make it implicit and inherent are still true today. Perhaps the most interesting bullet in those slides for me was one where I asked "why aren't we teaching calculus and computer science in elementary schools?" I don't think my audience grokked the question back then, and I'd be surprised if people would even get it today.

Password Complexity is Lame

As I'm sitting here in FAIR training this week in Cincinnati, I've been starting to apply rational thought to some of the staid and true "best practices" that have become cornerstones of our industry. To me, password complexity has always been somewhat ridiculous, since given enough time any captured password can be broken. This leads me to wonder, what are the common threats passwords, and how does password complexity help protect against those threats?

Sitting here thinking about it, I think there are three common scenarios against which we're developing controls:
1) Brute-forcing an authentication interface.
2) Brute-forcing a captured password hash.
3) Guessing passwords (not using automated controls).

2 3 4 5 6 7 8 9 10 11 12  

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10