The Falcon's View

A colleague recently posted a link to the "EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance" Computer Security Awareness Video Contest. Some of these videos are absolutely hilarious. My favorite is the 3rd place video featuring the McCumber Cube. I took a class from McCumber at GWU and have kept in touch with him since then. Worth a look! :)

I've been thinking a lot lately about the impact of Web 2.0 on information security. I've read Tim O'Reilly's seminal "What Is Web 2.0" article that defines this new trend. I've attended Dion Hinchcliffe's Web 2.0 training. I've read (most of) The Long Tail and The World Is Flat. I get it. I understand this new surge in the Internet economy. I see myriad opportunities for monetization for anything that can be sold effectively online, for ad revenue, for social networking, and for further redefining the customer relationship experience.

In the end, I do not see how any of this changes the fundamental issues within Privacy and Security. It does, however, potentially make things worse. Here's my take on some of these fundamental issues:

I recently read Daniel Gilbert's Stumbling on Happiness (I blog briefly about it here), which got me to thinking about the tricks the brain plays on us and how this might apply to security. Interestingly, not long after that Dr. Bruce Schneier posted a paper titled The Psychology of Security, which he presented at the 2007 RSA Conference. In reading through his paper, I found a considerable amount of similarity with Gilbert's book, which was interesting. More interesting, however, were insights I've gained into how we as infosec practitioners might be able to better present security concepts to consumers and customers so that they'll welcome what we offer, rather than resist security improvements.

Following are my notes from reading Schneier's paper, plus some additional follow-up.

I've previously blogged about how I don't think, fundamentally, Web 2.0 represents a change in information security. It represents some new challenges, but the base goals are still the same -- Confidentiality, Integrity, Availability. I was able to attend a couple excellent internal conferences this week on Web 2.0, which has helped me further refine some of my thinking. One conclusion I've drawn over the past couple weeks is that the Web 2.0 "web as platform" principle is fairly significant, and is going to represent the new class of major self-propagating malware threats. And it gets worse.

Funny, I was just blogging about emerging threats in Web 2.0. Well, here's an example of an attack on a stalwart of the Web 2.0 concept, live and all: WordPress 2.1.1 has been declared dangerous after an attacker broke into the servers and modified the code base, inserting malicious code that allowed for remote code execution. This does not appear to be a "web as platform" class attack so much as a server-side code abuse attack. Really, the attack itself seems mundane. However, given the popularity of blog software, with huge growth due to social networking, this attack is amplified because of the Web 2.0 movement. fwiw. :)

According to the iceberg FAQ, "About 7/8ths of an iceberg is below the water line." That's about 87%. Thus, the iceberg principle is that you only see a very small portion of the iceberg, potentially missing the vast majority of it.

Working in security assurance (which in this context means internal consulting and attestation, injecting security requirements in projects and then performing technical security testing as the project nears completion), we are constantly dealing with the iceberg principle. We typically see projects when they follow procedure and come to us. We review the portion of the overall application or system being developed, issue our findings, and then move on. In the background, however, is the rest of the project, hidden just below the water line. Because of the large number of projects we're expected to clear, this prevents us (usually) from probing deeper and perhaps finding those hidden concerns.

Fyodor has posted the latest Nmap News to the Nmap Hackers list. Check it out!

Quoting here one choice section, specifically to help raise awareness. If you are currently using GoDaddy, get off of it asap. Some whack job started flinging falsified accusations and DMCA requests around, which apparently resulted in the domain pull-downs, even though they weren't justified (see later in the newsletter, linked above).

Ok, time to get back to an infosec focus here... :) KPMG UK has published a report that describes "fraudsters" (non-technical term describing a white collar criminal) based on analysis of 360 cases in Europe, South Africa, and the Middle East.

Below are some selected stats from the Executive Summary (section 3). If you find this interesting, I encouraging reading the whole story. It's interesting to see reinforcement of the old school notion that the vast majority of incidents are from internals. Reinforces the need to protect the company against its own personnel, though without treat people as criminals. The old phrase "it's behind the firewall" is once again proved ridiculous.

This is perhaps one of more amusing failure of U.S. Department of Defense (DoD) intelligence in recent times. Couldn't find the link, but within the last year or so an intelligence report was put out warning against fake Canadian coins containing radio frequency (RF) transmitters for the purpose of espionage or surveillance. Well, it turns out those reports were grossly overstated. According to CNN.com, a special series of "poppy" quarters were released in 2004 by the Royal Canadian Mint to commemorate those lost to war. Apparently the DoD didn't get the memo.

What is perhaps most egregious here is the failure of the DoD to apply a mote of common sense, such as in applying Occam's Razor. According to the CNN.com article, the defense contractors who "discovered" these "suspicious" coins performed a very detailed analysis of the pieces. Unfortunately, they came to conclusions that were, well, rather far-fetched. Maybe they had been reading spy novels and let their imaginations run away with them. I just find it sad that the level of analysis described could occur with the end-result being issuance of a warning about spy coins that had no basis in the facts determined. Talk about a major disconnect between reality and imagination.

We're a strange people. I'm unsure if this is an Americanism, or just a human trait, but it's kind of weird, and definitely rates high on the selfishness scale. A raid was conducted yesterday against a terror cell in New Jersey planning an attack on Ft. Dix. The raid was the result of good old fashioned police work, complete with a paid snitch and all the leg-work you would expect. Notice there were no restrictions on liquids or gels involved in this bust.

What I found annoying in local coverage, however, was that the media immediately jumped into super-hyped panic mode. "What if this were to happen here?!?!?", they'd say. Well, I hope that the investigators here are just as smart as the investigators in NJ, meaning they would take the tip and run with it, too. Hopefully people here would be just as cognizant of aberrant behavior and would report it accordingly.

Ok, so, tomorrow (Monday 5/14) new postage rates and rules go into effect. First class mail increases from 39 cents to 41 cents. Annoying, but probably no biggie for the average person. USPS is also introducing the new "forever stamp" -- a stamp that will continue to be good regardless of future rate increases. Kind of clever, don't you think?

But wait, there's more! Apparently a bunch of rate rules are also changing, such as about the size and shape and thickness of envelopes. Is this a good thing? If this CNN.com article is any indication, then I would say "yes, it is a good thing!".

Bruce Schneier has an excellent blog post today on why people overreact to events that are particularly rare (e.g., fear of plane crashes vs car crashes). It's well worth the time to read it, and is also worth checking out some of the included links.

The Bruce has a couple excellent posts on his blog this week. The first informs us of a TRAC report criticizing the DHS' lack of focus on terrorism. The second is an essay he wrote for Wired titled "Tactics, Targets, and Objectives" that touches on TSA, but really goes broader on the topic. The essay is very informative, I think, and definitely worth the read.

I don't have any commentary really to add. I'll be generating some new original content here over the weekend -- once I get my feet back under me from the break-neck pace of work these last couple weeks.

"Because technology can evolve much faster than we can, our natural capacity to process information is likely to be increasingly inadequate to handle the surfeit of change, choice, and challenge that is characteristic of modern life. More and more frequently, we will find ourselves in the position of the lower animals -- with a mental apparatus that is unequipped to deal thoroughly with the intricacy and richness of the outside environment. Unlike the animals, whose cognitive powers have always been relatively deficient, we have created our own deficiency by constructing a radically more complex world." (Influence, p.277)

Influence: The Psychology of Persuasion (Collins Business Essentials)

This work fascinated me from an information security perspective. One of the primary threats to average users today is from phishing and spam, which often lead to various types of fraud. These attack vectors often leverage one or more of the six methods, as I'll describe below. Following are my notes from the reading, with additional thoughts and anecdotes added as applicable.

Bruce Schneier has posted an essay from Jan 2005 on Cyberwar that is fairly interesting. It's an interesting contrast to Marcus Ranum's comments in his book The Myth of Homeland Security. What do you think?

Bruce Schneier has posted a recent Wired essay he wrote titled "Portrait of the Modern Terrorist as an Idiot" in which he urges us all to be skeptical of what we hear from the media and government, particularly with regards to so-called "terrorist" plots. He looks at the fear-mongering tactics used to push political agendas when these so-called "terrorists" are nothing more than a bunch of drooling idiots who are haphazardly trying to create a stupid idea.

This concept of skepticism is actually a very valuable thing to develop. CIO magazine recently had an article on "How the Elite Innovate" that talked, also, about being skeptical. Instead of being silent followers of all changes, we should instead think critically, asking hard questions, behaving in a manner that challenges change to make sure that it is, in fact, the right thing to do.

Pardon me while I diverge from my travelogue for a moment to point out a couple articles demonstrating pure idiocy, first on the part of politicians, and second on the part of "security experts" mindlessly saying that something "might" be possible instead of pressing a more likely scenario.

Greetings! I'm back! :) I'm sure you missed me, oh so much (mom). So, I've collected a few things of interest over the past couple days (or more) and thought I'd toss them all into a single post (since technorati whines if I post more than 1 article per couple hours [which is so weird]). Anyway, a quick overview of the topics:

1) A good blogger law resource.
2) Interesting notes from groklaw on MS, SCO GPL tapdance.
3) 9th Circuit Court ruling on warrantless monitoring.

Well, you've undoubtedly heard by now that our brilliant legislators apparently lost their freaking minds last week before then fleeing for Summer break. Yes, indeed, it's true: I left town and the prats passed legislation removing most of the FISA limitations to prevent the NSA from spying on everybody under the sun (well, ok, a "foreigner" must be involved, technically).

Susan Landau at the Washington Post has a great write-up on why this is such a remarkably bad deal. Bruce Schneier tags on
with a few references to the recently uncovered Greek telecomm snooping debacle. Most other security sites have already touched on this, too, so I won't say really anything more than I have already.

If you're righteous indignation (or outright anger) about this, then I highly encourage that you take a stand and do something about it!

It is a day to celebrate! All the madness in the SCO v sanity trials has come to a screeching halt, and SCO, I expect, will cease to exist very, very soon. Oh, and all those allies (Microsoft, you know we're talking about you) who propped SCO up and played license bully? They now stand to owe Novell a ton o' money. Ha ha ha!!

PJ has a good summary over on Groklaw here. Story also covered here and here.

Ok, phishing is not the "official" threat of the month, but if you follow any security blogs, you'll notice that the topic is coming up in several circles at the moment. First out was Symantec's "A Brief History of Phishing" Part I and Part II. Then came a piece from the Think Smarter blog titled Balancing Security and Usability: The Human Factor. And, lastly, Bruce Schneier has posted a piece citing two new bits of research on phishing. What does it all mean?

I've been slammed and exhausted lately, so haven't had time to formulate a real post. So, to keep you interested and your appetite sated, I refer you to the Stephen Colbert report "Nailed 'Em: Cyber Terrorists". I hope you'll be as amused by this piece now as you should have been outraged in June. :)

Click here to learn how to protect against such attacks.

Anybody who knows me very well, has worked with me, or has followed my blog (well, back when I still made substantive posts like this one), will know that I'm obsessed with not only questioning everything, but also asking the right questions. It's actually a rather annoying knack that's emerged from growing up in an academic environment, where questioning and debating are ways of life. When other kids were playing Nintendo, I was watching the "Mysteries of the Unknown" video series, solving fun Math and Logic puzzles. For my career in information security, this has long been my mantra; namely, question everything, and make sure to ask the right (often hard) questions.

Finally, another security post! You must have thought I'd forgotten all about this topic. :) Honestly, I have a few ideas in notes at home, but haven't been motivated to write lately. But that's all about to change as of right now.

I have three different items for you today. First, in "Um, no." I talk about a recent posting on the Symantec Security Response Weblog that is, well, rather moronic. Next, "Don't be stupid." is a quick pointer to another excellent Bruce Schneier blog post on counter-terrorism stupidity. Last, Richard Bejtlich at TaoSecurity has a great list of responses, from worst to best, that measure the degree of proof provided in response to the question "Are you secure?".

A false positive is a test result that indicates an affirmative response when the actual response is negative. It's also known as a Type I error (Wikipedia has an excellent write-up on Type I and II errors). False positives are problematic in information security because they can result in "the little boy who cried wolf" situations. Meaning, if you start seeing a bunch of alarms and they're always false alarms, you'll start ignoring the alarms. Thieves have been known to use this tactic to trick police or security guards into ignoring alarms so that they can then burglar successfully. In information security, we try to find ways to eliminate false positives, or at least develop methods of validating the data through an alternative method rather than accepting the false positive as accurate. If only the federal government understood the need and importance for doing this.

According to a post by Bruce Schneier, a man in Sweden was unhappy with his son-in-law, who was in the process of divorcing the man's daughter. This soon-to-be-ex-son-in-law was traveling to the US, against the wishes of his wife, which caused disgruntlement. To exact retribution, this older man in Sweden sent an email to the FBI accusing his soon-to-be-ex-son-in-law of being a terrorist, providing flight details and indicating that the son-in-law was en route to meet with his al Qaeda contacts.

D.J. Bernstein, author of qmail and professor at U-Chicago, has released a new paper on qmail security. Though ostensibly about qmail, it's really an exposé on secure coding practices. In the paper, he identifies three fundamental approaches that will met "users' security requirements" within a given program:
1) eliminate bugs
2) eliminate code
3) eliminate trusted code

There's nothing I can say here that isn't better said by DJB in his paper. As such, I highly recommend reading it right away. It's very short (10 pages including the page of references) and very accessible. You do not need to be a programmer or a CompSci major to understand what he is saying.

It's a little after 5am local time and I've been up now for almost 2 hours. No, I'm not suffering from insomnia, nor am I trying to use myself in a sleep deprivation experiment. Rather, the security alarm in the apartment (for which I have no use) has decided to start beeping (rather loudly) about every 30 seconds. I'm sure they gave me directions for the darned thing when we moved in, but that was nearly 3 years ago, and I haven't the foggiest idea where they are.

So, the next logical thing was to call the after-hours maintenance hotline and have the on-call person paged. I say "logical" because the other option that occurred to me ranged between ripping the panel out of the wall to simply cutting the wires.

I called the maintenance hotline and the woman took my info and the nature of the problem and said she'd call maintenance. And then I waited. And waited. And waited. 30 minutes went by and no response. So, I called the hotline again, got the same woman, and she says "I'm sorry, this isn't on our pre-defined list of emergencies." !!!!!!! An alarm, for which I have no remedy, is going off at 3:30am and she won't page the on-call because it's not on her list. To make matters worse, she couldn't be bothered to call me back and tell me this. I had to wait 30 minutes and then call back to find this out. Putting aside the sheer failure in customer service, let's explore the fundamental problem here: inflexibility and a lack of creativity in finding a solution. This minimum wage drone had no motivation to help me.

We've had an interesting, though sadly disparaging, thread on the cisspforum this week. I can't post any direct quotes for you, since that would be a violation of the forum guidelines, but I can talk about the issues in a generalized sense. I wish to do this because I find it indicative of some larger problems within the security industry, and in fact within American society at large.

The core point of contention in this thread was whether or not so-called "off-topic" posts were appropriate. The forum guidelines clearly prohibit content that is not related to security. A couple people argued quite vehemently that anything that diverged from that rule should be strictly omitted. This stance seems reasonable, perhaps, at first glance, but it begged a larger question: given the extremely broad subject that is security, how does one gauge whether or not a post is relevant? Moreover, who's opinion holds more weight in answering that question.

Awesome. It's so obvious, and yet so brilliant. There's tons of free code out there to setup such a tool, too.

How to Harvest Passwords
Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

Hat tip to guru Bruce Schneier for the find.

The Symantec Security Response Weblog has an excellent post up today titled "Honor among thieves?" that talks about free versions of the now-infamous Mpack and IcePack exploit packages containing backdoors and additional redirects. They theorize that this is essentially the premium for getting the packs for free, which is very interesting. In essence, the malware gurus are using an ad revenue model to make money off the packs. This is kind of like the shift from Web 1.0 to Web 2.0 in terms of moving away from relying on product sales to really leverage the long tail available to them. :)

Ok, so some of my thoughts here are tongue-in-cheek, but it's an interesting post nonetheless. Check it out! :)

Ok, this is a grab bag post, I admit it... first off, Shawn has posted a great explanation of session fixation - a little discussed or known security vulnerability. Second, our government at work... it seems the House, in a pre-election frenzy (a little early for that, don't you think?), has rapidly passed a bill that I guarantee is so poorly thought through that it will caused lots of headaches if it ever makes its way into law.

Specifically, Congress now thinks that any provider of Internet access - including free wi-fi at your local coffee shop, now must report "obscene" images to NCMEC if they're detected or seen. Now, on the one hand, this is a stupid law, because you're already required by law to report any instances of suspected child pornography. But, on the other hand, this is potentially distressing as, if read in the wrong way, could result in free wi-fi access being yanked out of most coffee shops as they may determine the legal exposure is too great. Yet another case where Congress is micromanaging where they needn't interfere. There are potential privacy implications here, too, that are of course not likely being considered by the geniuses on the Hill.

Last, but not least, as mentioned earlier today, Republican presidential wannabe Mitt Romney today mimicked JFK in giving a speech on the role of his religious beliefs in his life as a public servant. Fortunately, he erred on the side of providing space for all religions, though at the same time he seemed to imply that we should all adhere to religious values, which seemed a little off. You can decide for yourself. You can read CNN's coverage here, and the Salon has posted follow-ups here and here.

I've decided to trim back my infosec data sources as some of them have held decreasing value for me of late. The big change is that I'm reading most of my news through Google Reader, and so my desire to wade through piles of mailing list discussions has flagged. To that end, I've dropped three Security Focus mailing lists today: incidents, firewalls, and forensics. My biggest complaint was that these moderated lists were either feast or famine (though a malnourished feast at that). Moderators can help keep discussion on-topic, but if they're not attentive, then you get a slough of messages all at once. My other complaint relates to the high number of bounces from these lists. I responded to one post last week and proceeded to receive almost 2 dozen bounces. Quite the penalty for participating!

In other news, I've decided to start making use of the "Shared Items" feature in Google Reader. Feel free to subscribe to the feed at the following link, or you can revisit it by selecting the "My Google Feed" link on the right.
http://www.google.com/reader/shared/02083241909295253845

Alrighty, my second blogroll (of three)... this one is focused on security (multiple aspects), ranging from aviation security to faulty bridge design (physical security) to threats from the plague to commentary on compliance and PCI DSS. Also, a collection of very entertaining videos of Derren Brown performing his "mind hacking" tricks. The links are further on, but the full list of articles is:
* Refuse to be Terrorized
* Source: Design flaw caused bridge collapse
* Plague: The new Black Death
* Patrick Smith on Aviation Security
* Demos Report on National Security
* From Monitoring To Prevention: Switching To Debix
* US Policy Would Allow Government Access to Any Email
* Cloned animals are 'safe to eat'
* An Assertion About PCI & Risk Management
* IT Security Compliance: What are the Critical Success Factors?
* Bayesian Truth Serum
* OWASP London Chapter December 6th Presentations Now Online
* Mind Hacking.

If you hadn't heard, a fellow named David Ritz was ruled against in a North Dakota civil case earlier this month for finding information on alleged spammer Sierra Corporate Design. At the core of the case was Ritz's use of DNS zone transfers to determine the full extent of named servers within Sierra's network, which was ruled to amount to unauthorized access. The conundrum is this: in general, access to network services is presumed on the Internet to be implicitly authorized, unless labeled otherwise. Furthermore, even if the network service is misconfigured to provide more information than is desired, it is still generally assumed that the information is "public" by virtue of being available. Unfortunately, as Rasch explains, in the ND case, intent was also factored into the equation. So, just because Ritz could perform a DNS zone transfer does not mean that he was authorized to do so. This conclusion is somewhat specific to DNS zone transfers (we hope) because it is an area where there isn't necessarily a good case for demonstrating implicit permission simply because the query can be performed.

You can read the whole story here. Rasch concludes by saying:

Again, it’s a close call. Under other circumstances, a court could easily conclude that the use of a particular command was, in fact implicitly authorized. Security researchers use publicly available and widely used tools to probe Internet accessible computers all the time. Courts in the future are likely to look both at the motives of these researchers and the impact of what they do in deciding whether or not their actions give rise to civil or potential criminal liability. So we need to learn to play nice with other children.

Venerable InfoSec veteran/forefather, Steve Bellovin, has a post on his blog about the security risks related to the so-called "Protect America Act" (aka FISA amendments/reform). He and a number of other infosec über-geeks have penned an article for IEEE Security & Privacy on the topic.

From his blog post:

Fundamentally, a wiretap is an intentional breach of security. It may be a desirable or even a necessary breach, but it is a breach nevertheless. Furthermore, the easier it is for the "good guys" to "break in", the easier it may be for the bad guys. The Greek cellphone tapping scandal is just one case in point.

There's another, more subtle, problem: if your wiretap is done incorrectly, perhaps by relying on incorrect information, you may miss traffic that you're entitled to hear (and should hear, to protect society).

As I've mentioned on a few occasions recently (see here, here, and here), FISA reform, such as in the form of the so-called "Protect America Act," is very bad for this country, in terms of privacy, national security, and civil liberties. I wanted to spend a little time, however, exploring this concept of "FUD" and why it's a dangerous argument.

Just a grab bag of links across the spectrum of things I've been reading today. Enjoy!

* Best Buy recalls infected picture frames: Some Insignia-branded digital picture frames seemed to have been shipped with a computer virus. Oops!
* LEGO Brick's 50th Anniversary: It's the 50th anniversary of the LEGO brick. Check out this site with a cool graphical timeline. :)
* Disabled Spy Satellite Threatens Earth: Duck and cover! A US spy satellite seems to have lost its propulsion system and is projected to come crashing back to Terra Firma some time in the next couple weeks. It's rumored to contain sensitive data, and to be toxic. I wonder if the "toxic waste" warnings are designed to keep people away from the sensitive data? :)
* Code Red: An Economist Explains How to Revive the Healthcare System Without Destroying It: Tyler Cowen recommends this book if you're curious about the economics of health care and how to solve the problems.
* Happy Data Privacy Day!: Per SANS, the IAPP has declared today Data Privacy Day. Protect your data, identity, and shred stuff. More importantly, fight the rollback of civil liberties.
* New 4100 Lumen Flashlight Can Set Things On Fire: Looking for a portable way to fry everything in sight? Check out this new flashlight, capable of 4100 lumens. It can burn paper, melt plastic, or fry an egg. Fun stuff! :)

It's still early, so not going to spend a lot of time going into this. Bruce Schneier has an excellent article posted today on "Security vs Privacy" - looking at how it should not be framed as a "vs" comparison, since the two concepts are compatible. A very interesting, worthwhile read.

Also, from the files of "be careful what you put on the Internet," 4 teenagers in Minnesota have been disciplined for posting pictures of themselves consuming alcohol on their Facebook pages. Oops. This seems to be part of a larger trend, as I've seen probably half a dozen such instances just in the past week. The best rule of thumb is this: don't even take the picture, let alone posting it in a public forum. Duh. I do, however, wonder about the legality and admissibility of these works. Somebody else's problem to solve today.

Rather than spam you with a bunch of different posts, thought I'd consolidate a few here, with comments. The articles in question are:
* MythBusters: 7 Tech Headaches—and How to Fix Them, by Jamie Hyneman
* ICANN Moves To Disable Domain Tasting
* Symantec Weblog: From Myth to Reality: Evaluating the State of IT Risk Management
* Swedish Bank Stops Digital Theft

I've offered up a few comments inline on each below.

I'm increasingly finding that there's just too much news to share. The easiest way to follow what I'm finding interesting is to subscribe to my Google share feed. Barring that, here are a few stories of interest. BTW, I'm working on a more extensive blog post on encryption key management, which I hope to have up by mid-week, along with a retrospective on how I'm doing thus far on my new year resolutions. :)

Stories of interest (links and comments below):
* Fourth Undersea Cable Taken Offline In Less Than a Week
* Mega-D Botnet Overtakes Storm, Accounts for 32% of Spam
* SSL Is Useless.
* Tesla.
* Free Speech and Net Neutrality: Separating Fact from Fiction

As I mentioned here, conspiracy theories are arising about the nature of the 4 undersea cable cuts in the past week. Security veteran and sage Steve Bellovin comments on the conspiracies here. His closing quote about sums it up for me:

So — I don't know what happened. As a security guy, I'm paranoid, but I don't understand the threat model here. On the other hand, four accidental failures in a week is a bit hard to swallow, too. Let's hope there will be close, open examination of the failed parts of the cables.

As mentioned here and here, the undersea cable cut situation is very strange. Even Bruce Schneier thinks so. And he's heard that there may now be a 5th undersea cable incident in the same region. If that ends up being confirmed, then this has to be officially classified as suspicious.

BTW, Iran is not offline, from what I can tell (Bellovin said as much yesterday, though Schneier mistakenly contradicts). See this blog post for proof. The comments in Schneier's blog are intriguing. I guess we'll just have to wait for more info, but this whole situation seems really sketchy. All I know is that our government had better not be behind it. I would not be surprised to learn some day that the cuts occurred to force taking the cables offline for service, allowing the NSA or CIA or similar to put splitters on the lines for monitoring.

Rich Mogull at Securosis posted his thoughts on the the 5th cable cut incident and its seeming suspicious (check out the conspiracy theories list I've started in comments:). Robert Graham at Errata Security says this is much ado about nothing (but offers his own amusing conspiracy theory). Definitely good reading. Who would be a good authority on the frequency of sea-cable cuts and outages?

The ever-so-popular "Black Tuesday" is approaching (Feb 12th), and this month's is going to be a biggie. According to the Microsoft Security Bulletin Advance Notification for February 2008 there are 7 Critical patches (all denoted as addressing "Remote Code Execution" vulns) and 5 Important patches (ranging from DoS to Privilege Escalation and so on). Additionally, according to the MS Security Response Blog there will be 7+2 = 9 updates to Microsoft Update, Windows Update, and Windows Server Update Services (WSUS). Oh, and the monthly malware tool update.

In related news, MS has a new "Security Vulnerability Research & Defense blog" that seems to be pretty cool, if you're into geeky, techie MS vuln/security info.

Get your update servers dialed-in and ready to rumble. I've noticed notes on various 0-days surfacing in the last week or two (if you read my Google feed then you've seen those, too). Yee-har!

Apparently it's all a bunch of hype and bad counting. TechCrunch has a story on the topic here, and they link to a Wall Street Journal blog post here, and to a story on The Economist here. Personally, I'm disappointed. I was really hoping for a good conspiracy in this election year. Something to distract me from the mudslinging that we've seen the past couple weeks. I mean, football season is over, so I really have nothing better to do with my time. ;)

Slashdot has had a couple stories posted in the last couple days about new authentication schemes. The first scheme comes from Carnegie Mellon University, where graduate students have developed a method to cover the input interface with the hand to protect against observational attacks, combined with a graphical password control. The paper is well-written and, though not seemingly reasonable to implement quite yet, poses some interesting ideas. More on it at the following links:
http://it.slashdot.org/article.pl?sid=08/02/08/0452221
http://www.darkreading.com/document.asp?doc_id=145104&WT.svl=news1_2
http://www.andrew.cmu.edu/user/nicolasc/publications/SCH-CHI08.pdf

In other news, a startup named Credentica is featured in an article on Wired discussing their authentication scheme and how it could prove identity with minimal information exchanged. They leverage a cryptographic method to authenticate a transaction without necessarily disclosing identity. This concept seems rather strange in that the whole point of authentication is to reasonably prove an asserted identity. The opening paragraph of the Wired article puts it in a little better perspective:

"Imagine you could prove you were 21 without revealing your date of birth -- or anything else about you, for that matter. Or qualify for a loan without disclosing your net worth. Or enjoy the benefits of e-commerce, e-health and e-government without a moment's fear that you are open to identity theft."

I've been diligently working on a few articles, plus fighting a cold, over the last few days, so you'll have to excuse the decreased blog output (or not - feel free to hold a grudge for a while, if it makes you feel better:). Anyway, I ran across a few articles today that were interesting enough to make me want to talk about them. So, here's a hodge-podge of topics, ranging from politics to infosec to cool new technology, including a brief review of the latest book I've read, The End of America: Letter of Warning to a Young Patriot by Naomi Wolf.

In 2006 I completed the Masters program in Information Security Management at the George Washington University. As part of that process, I completed a Masters thesis, in which I performed a high level review of "models, frameworks, and methodologies" under the umbrella of "assurance" (aka "information security, "infosec assurance," "computer security," etc). The goal of this initial literature review was to find a single model that could be used across an entire assurance program, incorporating what I posited as the core competency areas of Enterprise Risk Management, Operational Security Management, and Audit Management. The result of this first phase was a determination that no such model existed. Being stymied and frustrated by this lack of enterprise-level models for instituting assurance management, I embarked on creating my own. The resultant Total Enterprise Assurance Management (TEAM) model accomplished this goal, and then some (I'll come back to this in a bit). It's worth noting, incidentally, that the literature review is now about 2.5 years old, yet I firmly believe that the conclusions are just as valid today.

I bring this all up now because security philosophy has been bugging me over the past couple weeks. In returning to security consulting, I am again reminded that not everyone understands security beyond their niche, which can be very problematic when trying to work in a cross-organizational manner.

You can lead a horse to water, but you can't make it drink.

Someone recently asked on a mailing list what people thought of the impact of PCI DSS on software security (the current v1.1 of the standard has requirements to follow OWASP practices in secure coding). In thinking about the effectiveness of PCI, I concluded that it, like SOX, has reached a point of equilibrium as ineffectual. Businesses still seem to universally fail to grasp the value of most security practices, and thus resist the up-front costs required to undertake a truly transformational program.

I don't have a lot of time this morning to write, but I did want to jot off a couple quick notes after seeing on the local news this morning that Dulles and Reagan airports (here in DC metro) are activating Clear programs this morning. Clear is one of the commercial companies providing services under the TSA's Registered Traveler program (also here).

There's an excellent article on Wired.com by Bruce Schneier about the mindset of the security professional. I'll be the first to tell you that I certainly think differently than the average person. In fact, I drive many people (engineers, developers, etc) nuts sometimes because my approach to problem-solving can be so completely sideways to "the norm."

Hat tip to Anton for sending the link around...

(NOTE: This blog post was updated on 3/31/08 to properly reflect the overlap of Rotation and Expiration. The original draft published incorrectly showed overlap between Rotation and Deployment, which, upon reflection, made no sense whatsoever.)

In my past life, I was involved in the review and management of cryptographic services, including helping define key management processes and requirements. Now that I'm back into the consulting world, I'm finding that the topic of key management and encryption requirements is one of interest to a fairly broad, and rapidly expanding audience. Let's face it: the PCI DSS requirement for encrypting data at rest has served as the catalyst for deployment of numerous crypto systems, creating a secondary risk scenario related to improper management of those systems and related crypto materials (keys).

Toward that end, I've put together here an overview of how I view the key management lifecycle. While I do not claim to be an expert in crypto systems, by any means, I hope that you will find my thoughts on this matter to be of use. If nothing else, I hope that you can use it to analyze crypto systems within your environment and help ensure that the amount of risk related to these systems and associated key management processes is acceptable, or can be revised to bring them inline with accepted risk tolerances.

"Insanity: doing the same thing over and over again and expecting different results."
- Albert Einstein

If you've watched the Matrix trilogy of movies, then you might recall one of the themes from the movie. In the second installment, Neo meets the Architect, who tells him that the current Matrix was not the first, but was in fact a later revision. The problem, it seems, was that the original version was too perfect (a perfectly balanced equation), which could not be accepted by the human mind, and which then led to the entire system collapsing. The solution was to create an unbalanced equation, and then a method for managing the remainder as necessary.

In the security industry, we've reached a point where the equation is balanced, at least as far as the business is concerned, and bad things are starting to happen. Over the past 15 years, technology has been able to evolve to match most threats, but the simple truth is that we're still not winning the battle. Businesses are still not properly incentivized to invest more into security countermeasures, but instead do the minimum necessary to keep their shareholders from sacking the lot. Ladies and gentlemen, I submit to you that it is now time to unbalance the equation.

Everybody knows that the "Dummies" series of books are really aimed at the high-end market, right? Apparently so. According to this story, a teenager in Wisconsin has been arrested for "hacking" his school's computer systems (though no indication of damages has been provided). As part of the arrest, his copy of The Internet For Dummies (Internet for Dummies) was seized as evidence. Ummm... yeah. That's right, you heard me, local LE there thinks that Internet for Dummies is a 1337 h4X0r tome ("elite hacker tome"). Sure it is. Good job super-cops! :) They'd better move swiftly to ban that dangerous hacking book!

Not to let you think that all the truly hard-core tech criminals are based in Wisconsin, you might also check out this lovely story about a teen in Iowa who brazenly stole a girl's iPod, holding it ransom with the demand that she be taped doing naughty things and provide said tape for his own "entertainment" purposes. The genius of course included his email so that she could email over the mpeg with great haste. Now, physical security concerns aside, not exactly the brightest bulb.

Just a quick heads-up: in reviewing the extended article draft that corresponds to my March 21st post titled "The Key Management Lifecycle" I found that my second figure was incorrect. For some reason I had drawn a corollary between Rotation and Deployment, when instead if should have been between Rotation and Expiration. This problem has been remedied. Apologies for any confusion created.

I'm heading out to San Francisco early tomorrow (Sunday) morning to attend the RSA Conference 2008. I'll be attending an IAM pre-conference workshop Monday, then several newbie events that evening (this is my first time to RSA). Tues-Fri are the conference, which look to be very busy as of right now. I'll do my best to blog as I go, but no promises that anything will be timely. We shall see.

Greetings! I'm exhausted. :) Ok, that being said, I wanted to run down what I've been up to thus far. My feet hurt. And, for the record, it's rather chilly here, with a consistently stiff breeze (particularly cold in one's face while trying to walk uphill).

Just a few quick notes on yesterday (my 3rd day at RSA 2008). Let me start by saying that I have a throbbing headache as I write this (hangover?)... and I'm starving, because I somehow managed not to eat anything at the 4+ receptions that I visited, so am starving to boot. Ah, yes... nothing like the conference life! :)

This is a very brief middle-of-the-night, post-Codebreakers Bash post. Day 4 was clearly a coasting period... the vendors were all exhausted and in decline... but yet, it was a very good day. :)

I'll be doing a more complete retrospective on the conference later (hopefully annotated on the flights home, and then typed quickly Sunday, if I'm allowed to do so:). Overall, Friday was a great ending to the conference, with a very light schedule (thank goodness). The highlight was the final key note by former-VP Al Gore, complete with a few hecklers. More after the jump...

Ok, not really, but it's kind of a catchy headline, right? For anyone that caught the RSA Conference (either live or in archive), then you probably picked up on the theme that I've been riding for a few months now: this industry is stagnated and dying. In their keynote, IBM even went so far as to say that the industry has no future. While I think that this is a gross mischaracterization of the situation, it is an interesting stance for a product company to take. RSA Pres Art C said similar things during his keynote, too, but then proceeded to talk about how RSA products would be the solution to the problem (what was the problem again?). Anyway... this week has seen a full surge in this death knell for the industry, though now in the form of dismantling it, piece by piece.

I realize that I've been a bit light on infosec subjects lately, so thought that I'd better get back on topic. :) There are three bits out today that I've found particularly interesting.

First, more information has been released by the Payment Card Industry regarding their DSS 6.6 requirement on application security. It's a very insightful read and should help calm the nerves of those doing compliance.

Second, TippingPoint has broken into the Kraken botnet, to the tune of potentially controlling 25,000+ compromised hosts. They're now debating the ethics of using the infection to clean and secure the infected hosts. This issue is not nearly as simple as some might imagine. For one thing, to do so could be illegal. For another, who knows how much liability could be involved, especially when considering the law of unintended consequences.

Third, it's been disclosed that Microsoft has been providing law enforcement with free USB pendrive toolkits for forensics response purposes. It's not clear what all is on these devices, though one might assume many of the SysInternals tools are included (MS bought them a while back). Some have raised questions about the quality of evidence collected using these tools, since many of us doubt that write protection is enabled, etc. These devices appear to be designed for live response and requires physical access to the box. I am curious about how they're bypassing the login screen, where they're capturing data to (is MS playing custodian for network-based data capture?), and what toys they've included. Hopefully there aren't any secret backdoors that will be subsequently exploited. :(

Love the Hoff
You know you want to
    Unconvinced?
His poetry will sway you

Gloss over the fact that the story I'm linking to right here is for a political site, and click through to some of the reports referenced. Apparently the Internet is a threat to national security and will be the downfall of mankind. Or something like that, if you believe the FUD and hype. It's not the argument that bad people are using the Internet that I disagree with. Quite the contrary, I'm well aware of the role of organized crime and terrorists on the Internet. However, that being said, you don't throw the baby out with the bath water. The Internet has also had a democratizing effect on access to information, freedom of speech, and related areas of humanitarian concern and growth.

Inevitably, this saber-rattling will relate to building the case (this time by the State Department) to build their own cyber-security uber-group, just as the Air Force and DoD have done. If you'll recall, just last Fall the AF general in charge of cyber-warfare was making lots of noise about the terrible threats the government is facing (a good portion of which is substantiated and real), and low and behold, his unit received a nice boost in funding.

Bottom line: don't panic, follow good security practices (or hire me to help with that), and simply accept that, like any other large community, there will be malevolent forces at work against which you need to be prepared. Not so scary, right?

I'm a fan, in general, of process improvement (PI) initiatives, particularly when they equate to defining and documenting primarily undefined processes. However, given that complexity is a threat to security, I get concerned when PI programs become so complicated that it's hard to understand what's going on. I also get concerned when groups independently define processes that are related or dependent, without the proper buy-in or collaboration.

Now that it's May and I've had a few weeks to recover, I've decided that it's time to finally post a thorough retrospective piece on my first attendance of the RSA Conference in San Francisco. Overall, I had a wonderful time, taking full advantage of the opportunity to meet lots of people. I approached the conference primarily as an opportunity to network with colleagues across the industry, secondarily to attend some training sessions, and thirdly to hit the vendor expo. As expected, none of the training sessions were overly technical. Conferences simply cannot have highly technical sessions because a certain portion of the presentation has to be spent on levelsetting with the audience.

You can see my day-of posts from the conference here, here, here, and here. Also, pictures from the week are available here.

Over the last few months, I've been involved in a project to help address concerns over the end-to-end management of privileged passwords (root/administrator), with a particular focus on embedded passwords used by applications to connect to databases. It's very common today for applications to have embedded passwords, such as in configuration files, for accessing databases, including apps that need to access credit card data. While some tools, such as WebLogic Server, address this concern by encrypting the passwords in the configuration files at load time, this is not necessarily a universal solution. Additionally, the distribution of passwords to these systems is generally performed in a less-than-optimal manner.

To that end, I've found a couple products that seem to provide reasonable solutions to these problems. Following is a quick synopsis of those products and my quick thoughts on them. Please note that these comments are not compensated by either vendor. If you'd like to compensate me, buy a kettlebell! :)

I was introduced to a company a couple weeks ago that I think everyone should learn a little bit more about. Why? Well, for starters, their technology is really, really cool. But, being cool isn't enough (or, shouldn't be), and so I think it would be useful to go into a little more detail. The company in question is NetWitness.

NetWitness is essentially a combination between a packet recorder, a sniffer, and a layer 2-7 analyzer. They have their own metalanguage that is used to describe data, making it much easier to sort through what you've collected. Their appliances have 12 TB of storage (yes, that is indeed a 'T' there), which is a lot of disk. More importantly, they've built reasonably good tools for digging into that data, thanks in part to their metalanguage.

It's Friday, I'm beat, and, well, I'm just feeling a bit lazy, to be quite honest. So, here are a scant few links to interesting stories from today, of all times. If you're curious about what I find most interesting during the week, then please subscribe to my Google Shared Items feed. Links after the jump...

Howdy folks - just a quick heads-up, I'll be playing "booth babe" for BT on Monday at the Gartner IT Security Summit tomorrow (Monday 6/2) in Washington, D.C. If anybody is planning to attend, please feel free to drop by the BT booth or drop me a note so that we can meet up! :)

I'm happy to announce my first publication (included below). It's for my employer, so probably not a huge deal to anybody reading this, but for me it's a nice milestone. It's in the May 2008 edition of Initiatives, titled "Evolving Risk Resilience." Risk resilience is our new theme within security consulting. Since you cannot eliminate risk, you instead need to become resilient to it (sounds like a very British term - we used to call it risk tolerance, I believe, but whatever).

So, I'm back from a couple short days as a "booth babe" for BT at the Gartner IT Security Summit. It was quite interesting, though underwhelming. I sat in on one session on Monday and of the couple hundred seats, maybe 1/8th were filled. The exhibit floor was very large, which seemed nice at first, but in walking around and talking to other vendors, it became clear that nobody was getting much foot traffic, especially the farther back you went. The layout didn't direct people down rows to look at everything, but was instead a well-spaced matrix that, while aesthetically pleasing, did not result in driving traffic to booths. It also seemed a bit nuts to me that the exhibit floor was only open for 2 hours over lunch all week, plus a single 2-hour evening session on Monday night. That's 8 hours of available exhibitor time that overlapped with email catch-up time for what is presumably targetted to the very busy CIO/CISO market.

Updated: SANS Storm Center has more info on the CitechSCADA vulnerbaility here.

The AP reports, via the Star Tribune, that Core Security Technologies has identified a significant hole in CitechSCADA software. I'm sure this will be one of many, many holes identified over the coming months and years. The security bulletin doesn't seem to be posted (though I honestly didn't look too hard).

In other news... this is funny, and oh-so-true! Read the satirical "Are you a computer security professional?". Hat tip to Anton.

In case anybody out there is interested, one of my clients is hiring an "Information Security Analyst" and is willing to pay fairly well. Full position notice is included below, after the jump. This client has been quite decent to work with and there is certainly a lot of opportunity in the environment. If you're interested, please ping me and I can help get your resume/CV to the hiring manager.

Courtesy my father, and from a rather conservative corner of the blogosphere. This article by Walter Williams provides a very pointed critique of TSA and why most of is in the security industry find the whole theater absolutely nauseating. My favorite quote:

"The bulk of the people hassled by these and other TSA procedures are law-abiding Americans who have no malicious intentions, along with a few people traveling with drugs and other contraband. The TSA routinely confiscates about 15,000 items a day from passengers, in addition to the hassle, rudeness and arrogance. With these kind of costs imposed on the traveling public, I'd like TSA to give an account of themselves, namely just how many hijackings or bombings they have prevented, along with the evidence. Americans have been far too compliant and that has given the TSA carte blanche to treat travelers any way they wish."

Have you ever had to deal with an ant infestation around your home? We've recently moved into a rental home, and our first major headache has been dealing with ants. It's apparently a seasonal thing (beginning and end of Summer), but it was still quite annoying, not to mention a bit gross. The first incursion occurred on move-in day. After having several guys help out, we grilled, and from around the door to the deck I noted a steady stream of ants that followed the trail of crumbs all the way to the nearby kitchen sink. Suffice to say, cleaning has become a much higher priority since then.

Dealing with this matter has gotten me thinking about corollaries with security. These ants are external attackers (which is now known to be our primary concern, thanks to Verizon's report), and they seem to be very motivated to get through the perimeter. Once past the perimeter, they're much harder to contain. Also, how you defend against them varies depending on your goals.

"IT consolidation is a major undertaking that can require escalating upfront capital costs to achieve long-term cost savings. It can also take between six months and two years to execute. As such, these investments often face senior executive — if not board-level — scrutiny. A business case built or vetted by a major consultancy has a better chance of approval due to higher perceived credibility of the methodologies and rigor behind the business cases built by these firms." (Source: James Staten, principal analyst, Forrester Research)

One of the more common sights in enterprises is to see an incremental approach to addressing big problems. From an engineering perspective, this is fine, and really quite a good problem solving tactic. However, when it comes to making meaningful change from a security perspective, I have come to seriously question the utility of incremental changes.

Just a quick note and redirection to more info. According to Rich Mogull over on Securosis, a major fundamental flaw in the DNS protocol has been identified, and patches are being released by vendors. The flaw is in the protocol itself and affects both servers and clients. Prompt attention is warranted for this matter, so please check your DNS servers ASAP.

More info in Rich's post *** HERE ***. If you need a TinyURL address for that link, I've setup http://tinyurl.com/dnsbug.

In case you, like me, were a bit skeptical of the big DNS protocol flaw announcement, and thought "well, they're just over-hyping as usual" - I guess maybe not? I run djbdns, so I'm generally fine, but the big vocal blog-o-scoffs have started retracting after talking to the big Dan K, so now I kind of wish I could see the preso at BlackHat (though, no, I don't really wish I were going to BH, especially this year with the baby due around the same time). More info is now available at:
http://www.matasano.com/log/1093/patch-your-non-djbdns-server-now-dan-was-right-i-was-wrong/
http://taosecurity.blogspot.com/2008/07/thoughts-on-latest-kaminski-dns-issue.html
http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/

I had the opportunity to attend an Obama Town Hall rally this week. Given the town hall style of meeting, he took questions from the crowd. One of the inevitable questions, poorly phrased by an attorney for whistleblowers, was about why Obama had reversed his stance on the FISA reform legislation that passed the Senate this week. My immediate reaction was a feeling of betrayal, but I now better understand Obama's perspective and, while I don't fully agree with his comments, I at least feel that I can still support him as a candidate.

Following are some of the points he made in response, and my thoughts:

As already mentioned, I had the opportunity to attend an Obama rally this week. Perhaps the single most intriguing thing to jump out at me from a security perspective was the security screening process. In addition to requiring everybody to get tickets in advance (thanks to the wife on that), we then had to stand in a line while everywhere filed through a number of metal detectors setup and run by the Secret Service.

Now, before I go on and give you a chance to consider me an idiot, bear this in mind: the tickets urged people not to bring bags because of security screening, but it never clicked with me (for whatever reason) that they would be doing airport-style crazy screening. In my own defense, when they walked us through security screens on the National Mall, there were no metal detectors and thus I didn't have an issue. This time, however, I was caught unawares, and it cost me... a pocket knife.

You've undoubtedly heard by now about the San Fran net admin who refused to give up sole control of the network, and thus was thrown into the pokey to compel him to cooperate. Network World has a great article that provides some anonymous insider info on the debacle. My favorite quote:

"Later in the e-mail, my source offered some insight into what may be at the core of the issue: Childs was so paranoid about the security of the network that he even refused to write router and switch configs to flash, which would mean that if the device was powered off, all configurations would be lost."

So, really, he's just practicing good secure computing apparently? Um, no. If he thinks that not having backups for configs nor writing them to flash is good security, or if he thinks that having single control over the network is good security, then he's clearly crossed the line from genius to insanity. My read is that "security" may have been a convenient justification for him when talking to management, but that his motives were really job security and making himself feel more important. This seems to clearly be a case of a big ego out of control.

The article also suggests that all this drama ensued after a newly onboarded security manager started pressing to get the admin access for the network out the sole hands of this joker.

So, is this net admin: a) delusional b) drunk on power or c) completely nuts?

1010. The baby is due any day now.
1001. I don't look good in black.
1000. CRISS ANGEL Believe™ Hasn't Opened Yet
0111. No piercings or tattoos.
0110. I don't enjoy over-hyped over-the-top presentations.
0101. In the game "spot the fed" I would always be identified as "the fed" (though I'm not one).
0100. Unable to get into the really good parties (see "spot the fed" remark).
0011. My philosophy of security is much broader than 3117 h4X0ring.
0010. August is the wrong time of year for hiking the Grand Canyon.
0001. Because with BlackHat, what happens in Vegas doesn't seem to stay in Vegas.

Just when you think the US Government can't get any more ridiculous, they do. According to the Washington Post, DHS has made several more broad claims about their border security capabilities. According to the DHS (home of the ever-brilliant TSA), without any just cause or suspicion Border agents may seize laptops for as long as they want, they can take them off-site, they can image them, and they can then share those drive images with any number of other government agencies. From the article:

"DHS officials said the newly disclosed policies -- which apply to anyone entering the country, including U.S. citizens -- are reasonable and necessary to prevent terrorism. Officials said such procedures have long been in place but were disclosed last month because of public interest in the matter."

(warning: RANT) To the DHS and the reigning terrorist regime that is the Bush administration: Seizing laptops without cause does more damage to the cause of freedom, democracy, and free markets than anything any half-wit terrorist with a shoe bomb could ever accomplish. You, Bush administration, have used "national security" and "terrorism" as a direct excuse to fundamentally undermine key tenets of this country, and you continue to make boneheaded decisions and policies like the one cited here without one iota of competence in the field of security. You can never eliminate all threats and vulnerabilities. There will always be risk. If you are not able to understand this core concept within information security than, please, for all of our sakes, remove yourselves from office because YOU are the threat to national security. Your continued use of terrorist threats, meant to scare and intimidate (indeed, to terrorize) the citizens of this country have grown tired and weak and pathetic.

It's my hope that Congress will finally intervene to constrain Border agents and DHS and TSA and any other idiots who think that all freedom and privacy should be sacrificed for "national security" so that practices like these will be halted. This policy of indefinite seizure of laptops is hostile to business travelers, and at a time when we need international business to be increasing! It's time to stick a fork in this "national security" abuse and reinstate a bit of personal security and privacy protection.

Check out this cool video from Clarified Networks showing the progress of patching against the Kaminsky DNS vulnerability.

Hat tip to O'Reilly Radar for the find...

This won't be a long post, unfortunately, but I think everyone needs to take a moment to reflect on the significance of this Olympics. No, I'm not talking about the sports and the athletes and the achievements. I'm talking about the digital sleight of hand that was used to make everything appear perfect, when in actuality there has been just a little bit too much sheen and shine.

For me, it started last night while watching a special bit on NBC about how China has forced everyone to change their behavior and attire in Beijing. This approach has been lauded as great and revolutionary. "Look, honey, the Chinese people all look Westernized now!" Except for one little problem: they were forced or coerced into these changes, sometimes using nationalism, and sometimes sheer brute force. That's somewhat disturbing from a civil rights perspective. But now we're starting to hear details about the Opening Ceremony and how they were manipulated digitally to portray things in a better light.

From an information security perspective, it concerns me greatly that so much digital manipulation has occurred. We're not just talking about bleeping out bad words on a time delay, nor are we talking about the magic of television (such as levitation tricks using wires we can't see). Instead, we're talking about entire series' of events simulated digitally instead of being performed live, and time-based manipulation of the sequence of events simply to drive up ratings. Specifically:

* Did NBC Alter the Olympics' Opening Ceremony? It seems that NBC manipulated the sequence of events in their telecast of the Opening Ceremony in order to drive up viewership. It is alleged that they held off showing the entrance of Team USA until a much later time. This is one of those manipulations that is just idiotic. Did they seriously think that people would suddenly stop watching the minute they saw Team USA? I mean, for me, personally, I stopped watching as soon as the teams started entering the stadium. 3 hours of sheer boredom that is! :)

* Olympic Opening Ceremony Fireworks Were (Partly) Faked This manipulation is somewhat disturbing, because nobody would have known if the Chinese hadn't disclosed it. Apparently the "footsteps" firework show was filmed in advance and then edited into the live coverage of the Opening Ceremony. From a security perspective, everybody should take note: this takes to a new level the amount of distrust we ought to be placing in what we see with our own eyes. If you're not physically present, then you cannot trust what is shown. We're used to some "television magic" making things work, such as green screens and the like, but this is one of the first times I recall that a live presentation was significantly altered using digital manipulation. It's kind of scary, actually.

* China Olympic ceremony star mimed This isn't overly remarkable, but it's still annoying. Remember the cute little girl singing the Chinese anthem? Apparently she was lip-synced. Ok, no biggie, right? Well, actually... she lip-synced to someone else's singing. Oh, sigh. That's so Hollywood (or is it Disney?)! One clear trend here is that the Chinese are putting the visual presentation of the Olympics ahead of the truth and reality of it, whenever possible anyway.

* Windows BSoD takes the Gold at the Beijing Olympics This one is just amusing, not the least of which because it couldn't be covered up live (I wonder if it was visible during the broadcast, though? Here's another case to investigate around digital manipulation of reality...). Apparently one of the Windows systems supporting the Opening Ceremony had a Windows Blue Screen of Death, which got projected on the ceiling of the stadium. Check out the pics in the link. Very funny. :)

So, enough complaining from me. I suppose some day we'll find out that the Opening Ceremony really took place in a sound studio and that the athletes don't have to even show up in person to compete any more. If it's alright by everyone else, I'll just sit here and mourn the loss of trust in that which is presented as "live" and "reality." In television and business, apparently nothing is sacred.

I'm always leery when the phone rings and someone tries to offer me something I didn't ask for. Today was no exception - and possibly a good example of social engineering masquerading as a "deal" to lower my credit card rates.

When I picked up, the automated system said "This is your final change to lower your rates - please press 1 now to speak to a live agent." Unsure just which "rates" were going to be lowered, I went ahead and pressed 1 to see what it was about.

A few seconds later an agent came on the line. She thanked me for pressing 1 to have my MasterCard and Visa rates lowered (hmmm - interesting - why would they be calling regarding competing credit card brands?). She asked me if I would like my interest rates lowered, and I said that might be ok. She then proceeded to ask me what the balance is on my current card(s). I said "if you're from the credit card company, you already know the current balance - I'm sorry, which credit card company are you calling from?"

She responded that she needed to ask me 4 questions to qualify me for a lower rate. I said "well, I need you to tell me what credit card company you're calling from first before I answer any of your questions." *click* She hung up!

Scam 101: If it seems too good to be true, it problem is. If the caller purports to be representing competing brands, then they're probably a competitor. If they can't/won't tell you who they're working for, then you should not disclose anything to them. And, lastly... If they hang up, you've just busted their scam! :)

BTW, for those interested, the caller ID listed the number as 321-729-9349, which appears to be a Melbourne, FL, phone number. Just in case you'd like to proactively block that number on your phone or PBX. :)

Remember all that press last year about the pending Internet apocalypse? I sure do. At the time I said "how convenient - this AF General is looking for money for his 'Cyber Command' program and suddenly there's a huge, looming, imminent threat." Well, as it turns out, this program has now been suspended. It's little wonder, too. As the article points out, it's not like there aren't already computer warfare divisions in the Navy and Army already that have well-established track records (didn't the legendary SANS guru Stephen Northcutt have involvement with the Naval program some 20-30 years ago?!?). So, perhaps, for once, we'll see less tax dollars wasted for this one small instance. Oy!

Hat tip to HelpNet Security.

Ever since I took Systems Engineering I in my masters program at GW, I've viewed information security and risk management a little differently. In fact, as I've matured over the years, I've come to view the field(s) through multiple lenses, and continue to seek out new perspectives. From Systems Engineering, I learned to view risk as a systematic problem that required fault tolerance and that needed to balance the cost of solutions against the effective reduction of loss potential. This approach is also very compatible with the "risk resiliency" approach that my current employer is favoring in their marketing pitch, and something that I've naturally latched onto as being similar to my style of communication around risk management.

To that end, I had an opportunity to meet with Dr. Vernon Grose of the Omega Systems Group this week. His organization has been providing systematic risk management services for a few decades. In particular, his methodology has a couple key components that I found to be particularly interesting. First, Omega advocates a top-down workshop approach to initiating risk assessment as a lead-in to making risk management decisions. This workshop has some similarities to the NSA IAM/IEM approach, but differs by focusing on the executive/strategic level, making use of scenarios for planning. Second, Dr. Grose brings to bear a systems engineering approach to risk management wherein all scenarios are evaluated against a minimum of 3 countermeasures, looking uniquely at the costs of reducing or eliminating the losses associated with a given risk scenario based on a refined ranking approach.

Go check out Jack's "do it yourself" DefCon 16 "hackable" badge. :)

As noted earlier, I've recently read James Flaherty's excellent book Coaching: Evoking Excellence in Others. My original purpose in reading this book was to help generate content for an internal training course I'm developing on savvy skills for consultants (I also read Ron Fry's Ask the Right Questions Hire the Best People for the same project). However, as I began reading this work, it occurred to me that what Flaherty describes is really a philosophical shift that has great applicability to the information security profession. In particular, this line jumped out at me: "...command-and-control organizations cannot bring about the conditions and competencies necessary to successfully meet the challenges holistically. For the most part, organizations know this and have attempted to reorganize themselves using the principles of total quality management and reengineering." (p2) Put in a security context, what he's saying is that all these top-down initiatives may be good and fine, but they only serve to reinforce the self-defeating practice of a command-and-control management structure, disincentivizing people to step up and act responsibly.

Within information security, perhaps the number one place where we see this sort of situation is in policy enforcement. Most organizations today have policies, but how well are they enforced? If they are enforced, is it through a heavy-handed approach, or because everyone is onboard? From a psychological perspective, the bottom line - as always - is that people will only change either because they want to or because of a trauma. Unfortunately, as Flaherty notes, simply providing stimuli (pain or reward) is not generally enough incentive on either account.

Me certainly thinks so! :)

"Too many people are thinking of security instead of opportunity. They seem more afraid of life than death." James F. Byrnes

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
Benjamin Franklin

"I would rather be exposed to the inconveniences attending too much liberty than to those attending too small a degree of it."
Thomas Jefferson

I'm of the opinion that American society has peaked and is now in the throes of an implosion. It's the only reasonable explanation I can find for the hubris of stupidity I see in a full half of the population. When lies are heralded as great conquests, when hyper-aggressive law enforcement can be applauded for trampling on the Constitution, and when we see other countries pursuing scientific achievement while we flounder, bickering over petty religious squabbles instead of finding common ground - well, let's just say it's rather disturbing.

Let's not stop there, however. American business is in shambles. Fannie and Freddie are about to be taken over by the government, which has already artificially sustained, if not rewarded, very bad decisions. What sort of free market doesn't allow idiots to fail? If you make bad decisions, you should suffer the consequences. Instead, our government sustains those bad decisions, drawing them out endlessly (seen the American airline industry lately?).

I have a high school acquaintance who likes to rail about how Obama is too liberal, possibly a Marxist, FUD, FUD, doom and gloom. Yet the present administration has done far more to undermine the country than any future leader will be able to do. Look at the despotic and violent tactics in St Paul this past week while the administration's party had its convention. Not only were police initiating violence against peaceful protesters and peacekeepers, but they actually targeted journalists and medics. What sort of country are we living in that not only actively seeks to oppress the citizens, but goes out of its way to quash reporting on the incidents and medical support?!? Yet they congratulate themselves on a job well done!

Then there's the mediocrity of American business. I've seen many IT shops throughout my career and one thing is constant: they're all a mess. I view IT as a window into the soul of the business. If you can't figure out how to properly manage your technical organization, than you're not going to be able to manage the rest of your org well, either. Simply put: I often wonder how any company stays in business.

The irony is that this industry of ours relies on so-called "best practices" - which, as Scott Adams noted in Dilbert this past week, is just code for mediocrity. When did we get to the point that this was blindly acceptable? When did we decide as a people that average was fine, innovation was too much work, creativity was crazy talk, free speech was threatening, and medical care too much hassle?

So, I wonder, is there any recovery for our ailing, failing society? Can we cut from ourselves the cancer of negative, angry politicians corrupted beyond recognition? Or will we remain in the grasp of organized crime by way of dispassionate multination corporations? It is these orgs that are threatened by freedom, liberty, and civil rights. The more freedom and open disclosure we have, the more likely their corruption is to be exposed. Their mediocrity will be questioned, and they will either fail or be forced to correct their ways.

I fault the managers of the economy in the government and the Federal Reserve for not allowing the economy to nose-dive and then self-correct. Instead, we limp along seeing real inflation out-pacing growth in income, we see Americans without health coverage, and we see outright despotism in places like the White House, the Department of Justice, the Department of Homeland Security, and played out in the streets of St Paul, MN. A properly structured and trained DHS organization should have been on the side of the protesters, defending them against overzealous law enforcement, rather than organizing the thug squads to drive out, raiding protest planning parties, manufacturing conflict where none existed.

You'll note that hundreds of arrests were made. Where are the charges? They're few and far between, if they exist at all. Law enforcement was used to oppress freedom of speech, expression, and journalism. As in business, the tyranny of despotic rule and police state oppression serve a purpose counter to the best interests of industry and society. If the goal is to suppress and placate, then congratulations, we're doing swell. However, there is then no room for complaining by politicians and business leaders as their organization erode and collapse from the lack of innovation and creativity. You lose your right to complain when your actions have directly resulted in the problem at hand. The only path to recovery and revitalization is a wholesale redress of the system, including the arrest, fair trial, and eventual imprisonment of those thugs who are responsible for the present environment. No, that's not bin Laden and al Qaeda. It's people like Bush, Cheney, Rove, Rumsfeld, Clinton, Podhoretz, and so on.

I leave you with a couple more quotes from Jefferson:

"The spirit of resistance to government is so valuable on certain occasions, that I wish it to be always kept alive. It will often be exercised when wrong, but better so than not to be exercised at all. I like a little rebellion now and then. It is like a storm in the atmosphere."
Thomas Jefferson to Abigail Adams, 1787.

"Most codes extend their definitions of treason to acts not really against one's country. They do not distinguish between acts against the government, and acts against the oppressions of the government. The latter are virtues, yet have furnished more victims to the executioner than the former, because real treasons are rare; oppressions frequent. The unsuccessful strugglers against tyranny have been the chief martyrs of treason laws in all countries."
Thomas Jefferson: Report on Spanish Convention, 1792

I'll be in Baltimore Tues-Wed this week (today and tomorrow) attending the IEEE Key Management Summit 2008. If anybody else is around for the event and wants to hang out, please feel free to leave me a comment.

As far as blogging, I'm planning to write at least a couple posts based on the sessions and what I might learn. If I manage to get vendor interviews, I'll try to post those, too.

I had the opportunity to attend the inaugural Key Management Summit this week in Baltimore, MD. The IEEE hosted it in conjunction with the Mass Storage Systems and Technologies (MSST) conference as the IEEE P1619.3 key management standard (under development) is part of the IEEE Security in Storage Working Group.

Overall, the conference was interesting and enlightening, but not perhaps in the way that I'd hoped. In general, it really highlighted the dysfunctional nature of IEEE standards committees, as well as how far removed these groups can be from reality. It was intriguing to the see the contrast of 1619 against the OASIS EKMI technical committee, which itself had to demonstrate business value and buy-in just to be launched; against the IETF committees, which were similarly dysfunctional; and against the ANSI X9 committee, that has apparently covered much of the ground under discussion, or leading up to the key management topic, but which has played almost no direct role in any of the other committees because their focus is technically limited just to the financial services industry (despite a lack of involvement with BITS).

Excerpted from an ISC(2) announcement yesterday:

In support of the month, ISC(2) has launched Cyber Exchange where you can download original cyber security awareness materials at https://cyberexchange.isc2.org. The Cyber Exchange houses free security awareness tools from around the world, designed to be used by any organization or individual that wishes to promote online safety at work or within their community. It can also serve as a support tool for private and public sector organizations required to meet cyber security awareness training requirements under directives such as the Federal Information Security Management Act (FISMA).

(...)

Commemorated by the U.S. Congress, the goal of National Cyber Security Awareness Month is to heighten public awareness of the critical role each citizen plays in protecting information assets. We have expanded Cyber Security Awareness Month to include all of our global members because they are among the top security experts in the world and are the perfect candidates to spread the word about cyber safety. To find out more about ISC(2)'s involvement with the month and its efforts to address cyber security awareness on a global scale, please visit www.isc2.org/awareness.

Greetings folks. Just a quick FYI, I've had an article, titled "Key Management: The Key to Encryption", published in the October 2008 edition of EDPACS. More information is available here. The article is based on an earlier blog post. Please ping me if you don't have access to EDPACS and would like to see the article.

Unless you've been living under a rock the past couple weeks, you've heard about the much-maligned "bailout" (er, sorry, "recovery" - not!) package that the US Congress has been kicking about. The plan originally allocated US$700B to the US Treasury Dept., at the discretion of the SecTreas, to buy a bunch of bad, overpriced paper from financial services companies that are acting greedy and are unwilling to neither disclose how much bad paper they have nor reduce the price of the paper to incur a loss. Despite massive outcry from the public (you know, those fabled "constituents" who allegedly elected these elected officials), Congress has gone ahead and approved it today, with a few "sweeteners" added to bribe over the few hold-outs (about $110B in earmarks and tax credits - see here).

A few things have struck me about this entire ordeal and its similarities to life in enterprise security.

I hate spam. I really, really, really hate spam. Most people do. None of this is probably a shock, given that I'm a security professional and heavy IT user. That being said, I've finally hit the wall with TMDA. For those not familiar with it, TMDA intercepts messages before they hit your inbox and quarantine them unless you've whitelisted the sender, or they confirm their message. In theory, this is an excellent way to go because people you know only need to confirm their message once, and after that they'll not get bothered again (unless they change email addresses).

However, in practice this doesn't work. Why? Mainly because not everybody gets it, no matter what you might put in the bounce-back confirmation message. Meaning, I end up having to go through my pending queue on a daily basis to see if mail has arrived from authorized sources that I may not have whitelisted (recruiters are a perfect example).

There's another problem, too, and one that has really driven me to the brink. TMDA is great for stopping mail from getting to my inbox, but it also facilitates bounce-back spam. Over the past couple months, I've detected a major increase in Russian-language spam where the intended recipients are listed in the "FROM" field, on the assumption that TMDA will bounce the message with a legitimate confirmation message - a message that also includes the spam. I am, then, unwittingly making the problem worse. And, for that reason, I'm done. TMDA is disabled, but I'm not letting the spam win.

Instead, I've fixed the simscan scans being run as part of our qmail setup. All messages are now getting scanned with ripmime, clamAV, and Spam Assassin, and messages over a certain threshold are going to get dropped silently. If I find legit mail is disappearing into the void, I'll then have to increase the threshold (or decrease it if too much bad stuff gets through). However, all told, I'm hopeful that this approach will be much more effective. And, for non-IT users, much less confusing.

We'll see how this little experiment goes. Hopefully it works out. I'd be curious to hear what others are doing for spam and how effective their solutions are.

As of this week, I'm an official core guide for "Practical Security" on a new collaboration site, Truth to Power (T2P). So, what is T2P? From their "About Us" section:

"Truth to Power is about the control of information. It is based on the premise that information is truth, and knowledge is power—both in business systems and in our heads. It is dedicated to helping IT, business, legal, and audit managers unlock the potential of information, allowing companies to dramatically improve performance and reduce risk."

I hope that you'll join me on T2P. And, if you're interested in contributing, please ping me in the comments and I'll introduce you to one of the founders of the organization. Also, while you're checking it out, please take a read through my first post, Treating Security Like Speed Limits, and let me know how you liked it.

I recently de-friended an acquaintance on Facebook because I could no longer tolerate the open disdain and hatred he showed toward a particular presidential candidate. He would constantly post links to extremists sites purporting to have the inside scoop on this candidate's hidden agenda, hidden religious bias, and other alleged secret plans. While it was true that I supported this candidate, this fellow attributed my refutation of his assertions as mania for the candidate instead of an attempt to debunk the myths he was perpetuating. In the end, he even mocked me for walking away, because he again saw my fact-checking and push-back as blind zealotry and not an earnest attempt to put aside rumor and innuendo in favor of what is widely held as the truth (it should be noted that he opposed both main-party candidates, yet only saw fit to bash the one, ironically).

It's struck me in reflecting on this situation that this sort of conflict arises very often. The political season seems to bring to life some of these age-old debates, but at their core we find behavior that plays out in the average enterprise every day. It is these hobgoblins of foolish consistency, about which Emerson warned, that plague many IT departments, and really businesses at large, in dealing with issues of security, privacy, and business continuity.

Just a quick heads-up, though I'm sure everyone has seen this already. Microsoft has release a critical patch out-of-cycle as of today. From the SANS link below, "The update addresses a vulnerability with RPC calls which can be referenced from SMB connections." It's implied that there is a remote code exploit for this bug, and the out-of-cycle nature of the patch suggests that there may be an emerging or active threat.

Primary links:
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
http://blogs.technet.com/msrc/archive/2008/10/22/advance-notification-for-out-of-band-release.aspx
http://isc.sans.org/diary.html?storyid=5227&rss

Additional coverage:
http://voices.washingtonpost.com/securityfix/2008/10/microsoft_to_issue_emergency_s_1.html
http://securosis.com/2008/10/23/microsoft-critical-update-today-link-to-4-pm-et-webcast/
http://www.securityfocus.com/brief/844?ref=rss

Announced by our fearless leader, you can get a 35% discount for the SC World Congress December 9-10 in NYC at the Javits Center thanks to the conference partnering with the Security Bloggers Network for promotion. For one-day passes, uses promo code "Blog1" and for two-day passes use promo code "Blog2". That's all you have to do!

I love Fall. It's my favorite time of year. The weather has that wonderful chilly bite to it, the humidity generally drops away, and then there's the folliage! This Fall, here in Northern Virginia, has been the best of the best. We've never seen colors like these in the last 5 years, and friends who've lived here much longer say they don't ever recall a Fall like this, either. So, suffice to say, I'm rather pleased with the outside world.

Fall, however, is about more than just pretty colors. It's also about the cycle of life. In the grand scheme of things we typically associate Fall with the dying throes of life, Winter with the period after death, Spring with the emergence of new life, and Summer with the peak of living. Putting aside the somewhat morbid aspects of this life cycle, I have to wonder how many organizations apply similar thinking to themselves? How many decisions have - or should have - a life cycle? I would think pretty much everything should be evaluated accordingly, but it doesn't always seem to be the case.

Thanks to Kottke for pointing this out...

"House keys left out on table + telephoto lens at a distance of 200 feet + SNEAKEY key duplication software = perfect working copies of your keys. Eep. The system also works with crappy cellphone camera photos."

So, this means from a physical security perspective, it's probably best not to leave your keys sitting in plain site - especially if they are keys to anything remotely valuable!

Also noted by Schneier last week here.

Found and forwarded by a colleague on the ABA InfoSec Committee, following is an excellent source listing international laws that impact use of cryptography:
http://rechten.uvt.nl/koops/cryptolaw/

According to a new study:

"After 26 days, and almost 350 million email messages, only 28 sales resulted," says the research paper.

Yet even with this apparently abysmal response rate of less than 0.00001 per cent, the researchers still estimate that the controllers of a network the size of Storm are still bringing in about $7,000 (£4,430) a day or $3.5m (£2.21m) over a year.

I'm sure everybody would love to make an extra $3.5m/yr for doing not much of anything. And we wonder why the spam problem is so pervasive. How much do we spend on anti-spam efforts each year? Does it outweigh the benefits seen by the perpetrators?

Hat tip to Marginal Revolution.

Greetings, one and all. Apologies on not blogging as much lately, but life is busy! I wanted to share a few pieces of news from around the industry, on the off chance you missed it.

First and foremost, the former Chief Privacy Officer from AOL, Jules Polonetsky, has formed a new non-profit org called Future of Privacy Forum. From their about page: "FPF advocates for privacy advances that promote transparency and user control in a manner that is practical for business to implement to ensure personal autonomy for all who seek to embrace the benefits of our digital society." This is very interesting news, and it should be noted that one of their first objectives will be to put forth privacy policy objectives for the new Obama administration.

The second bit of big news is that NetWitness has announced the free availability of their Investigator software. If you're not familiar with NetWitness, then you really need to take a look. The software bit is just one component of their overall solution. It's actually rather difficult to describe what they are, because they draw from many different genres. The sniff traffic, but they also record full packets, and then they provide excellent analysis tools, including making use of their own metalanguage to look at and describe data. It's pretty powerful stuff.

In more mundane news, I spoke on a panel at CSI 2008 this week. My part of the panel discussion was "information classification." We had fun presenting and I think some people found it somewhat useful - as much as one can call a 15-minute preso useful. For me, this is an important milestone because it's the first time I've spoken at a major infosec event.

And, last, but certainly not least, I wanted to call out the other thing I became involved with this week: the ABA SciTech section's latest committee, e-Discovery and Digital Evidence. We held the kickoff meeting for the committee in DC yesterday and today, and I have to say, it was a very interesting and inspiring group. There is a lot of opportunity for outreach, growth, and improvement around these topics, including around records management. I'm very eager to continue my involvement in this committee going forward.

That's my news from around the beltway this week (so far). :)

If you're a CISSP, please read on here. If not, you can disregard this post.

CISSPs, it's that time of year again - time to vote for your ISC2 Board. I wanted to take a minute and publicly endorse Dan Houser. Erik Heidt at Art of InfoSec has done a good job describe Dan's qualifications here. I think he's spot-on with the description and, knowing Dan a little bit myself, I agree that he would be an excellent addition to the ISC2 Board.

Bejtlich has posted a good summary of info on the new Mass. law regarding protection of MA resident PII. Several links out to other sites. Check it out here:
http://taosecurity.blogspot.com/2008/12/letters-you-will-need-to-know-201-cmr.html

Mr. Shimmel has a good, brief post up on the state of the economy and its impact on infosec. He pretty much hits the nail on the head. Adding on to what he says, I've been reading daily crime reports from my base city, and I've noticed a steady increase in basic theft/burglary/larceny cases. Historically, crime increases as the economy tanks, so this shouldn't surprise anybody.

From an infosec perspective, this reinforces more than anything the imperative to know what info you have, how important it is, and where it is supposed to go. If you cannot describe the "crown jewels" of your information capital, then I'm afraid you're going to have a tough time prioritizing precautions protecting it.

This note brought to you by the letters F and M (for felony and misdemeanor).

In case you missed it today... :)

(click to see full-size in original enclosure)

The Center for Strategic and International Studies (CSIS) has today published a new report - "Securing Cyberspace for the 44th Presidency". In it they lay out 9 high-level recommendations, which are:
* Create a comprehensive national security strategy for cyberspace.
* Lead from the White House.
* Reinvent the public-private partnership.
* Regulate cyberspace.
* Authenticate digital identities.
* Modernize authorities.
* Use acquisitions policy to improve security.
* Build capabilities.
* Do not start over.

Overall, this looks like an ok report, though I'm always a bit skeptical. I still don't have a reasonable expectation that Congress has enough competency in Internet policy to adequately address concerns. President-elect Obama certainly is more tech-savvy than any prior president, but that doesn't necessarily mean he'll be able to get impart that wisdom to the Congressional common people.

I'm definitely in favor of a new Cybersecurity Directorate being established within the National Security Council - it would provide a much needed elevation in visibility and authority. I do, however, get concerned when I read statements recommending a central government strong authentication and credentialing scheme. We do not need another REAL ID debacle. We do not need the federal government to release a national credential. It's not the role of federal government, but rather a responsibility that has been delegated to the States (see, for example, birth certificates). (For more on why REAL ID is a bad idea, see the EFF REAL ID action site.)

In the end, the report is probably good for the most part, though it does lack creativity in some areas. We need new solutions to these now-age-old problems. What we've been doing thus far has not been effective - so why think that doing more of it would have different results. Anyway... give it a read - I'd be curious what you think! :)

Hello. I wanted to provide a couple updates on feeds. First, before I do that, I wanted to mention that, yes, I'm planning to move back to full post delivery in 2009, just as soon as we can get MT upgraded. Anyway, that being said...

Feedburner has been gobbled by Google. As such, if you're subscribed directly to this blog, then please update to my new Google feed:
http://feedproxy.google.com/secureconsulting/ujTc

Second, if you're a subscriber to the Security Blogger Network feed, then you've likely already read that their feeds were also impacted by the Feedburner acquisition. As such, please make sure that you've updated your subscription to reflect the new address:
http://www.securitybloggers.net/feed/

Lastly, I know nobody will read this far, but just the same, if you feel so inclined, please participate in the first ever Social Security Awards. This is an award hosted by SBN for security bloggers. If you were going to vote for me *ahem* I think I'd best fit under either "Best Non-Technical Security Blog" or "Most Entertaining Security Blog". :) Or not, whatever. :) Vote here:
http://www.socialsecurityawards.com/

Happy holidays! I'm sitting here, recovering from eating far too much over the past week, catching up on reading. One of the things that has jumped out at me is the growing importance of metadata to the enterprise. This trend is important enough that I believe it will become the defining trend in 2009 and beyond.

There are a couple key scenarios that are driving this increased need: encryption and records management. These needs are somewhat interrelated (or, at least, have commonality in certain key cases). For encrypted data, the problem often ties into indexing and data retrieval. You can't quickly retrieve a specific value without decrypting it, so instead need to build intelligent indexes that tell you what the data is without revealing the data itself. This is important for normal operations and will hopefully drive improved application engineering practices that put more focus on architecting useful metadata that support the encrypted data itself.

The other major driver of the metadata space will be records management, including support for eDiscovery and digital evidence. Data management and assurance will, I believe, become a new growing area of focus in 2009. eDiscovery today accounts for a major cost sink that effectively undermines the civil and criminal justice systems. In corp-corp lawsuits, the company with the most money oftentimes holds a distinct and unfair advantage because of the ability to bury the competition in discovery requests and filings.

The best solution to this challenge is to implement strong records management practices that include developing a comprehensive metadata framework that can be used to quickly identify and retrieve needed information while minimizing the cost of those queries and deliveries. Using a standard language for this metadata would be an interesting development that would then allow for much easier scoping of discovery requests. I'm hopeful that the next couple years will see an organization stepping up to formalize and expand a metadata framework for records management with a specific tilt toward eDiscovery and digital evidence support.

It will be interesting to see who will emerge as players in this space going forward. Standards should play a prominent role, if we can put aside differences to achieve best-interest consensus. There is a lot of up-side financially for enterprises to co-develop and adopt strong practices in metadata, so now we just need to start building the case and driving it forward. The trick will be coordinating support on multiple fronts, ranging from security to audit to operations to general counsel. Add in long-term cost-savings and you have a strong win-win-win-win scenario.

(cross-posted from T2PA)

A common challenge as an infosec professional is the legacy association of the field with information technology (IT). This challenge can be quite detrimental to the enterprise, as an acute focus on technology will inevitably overlook critical issues (and I don't just mean policies!).

This year may provide the perfect opportunity to demonstrate this perspective. As budgets continue to tighten, it should quickly become obvious that "security" is far more than just an IT matter. If your organization takes a serious, deep look at all security responsibilities—arguably including risk management and assessment, policy, compliance, training and awareness, contract support, maybe litigation support, and possibly even audit—then the conclusion must necessarily be to decouple the future of your security program from the future of IT personnel.

January is a popular month for waxing philosophical about the past year and full of prognostication about the coming year. One popular topic this year has been that of the impact of regulations on security and, ultimately, the safety of eCommerce. As you might imagine, opinions span the full spectrum of thinking, but the general consensus seems to be that yes, things are better.

It would be irrational to argue that security technologies have not improved, just as it would be sheer folly to say that regulations like PCI have had no impact on eCommerce safety. That being said, it also isn't clear that the gains have been as significant as some have claimed, and moreover, attacks have grown exponentially in their complexity and effectiveness.

To this end, I will be delving into these opposing conclusions below. For the purposes of this post, I will talk just about Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI). These two regulations are interesting for a couple reasons, not the least of which is how they contrast.

Yes, I know, I'm way late on this, but what the heck... for the record, I tried to get a ticket for this year's conference, but they had taken the site down due to issues. By the time I got back to the site, they were sold out (this happens every year). Anyway, enough sob story.

If anybody has an extra SchmooCon ticket, or if anybody can't go and wants to pawn theirs off, please let me know ASAP. Thank you! :)

Ok, here's a fluff piece, but it's interesting stuff from a security perspective... and, really, it's not all fluff. :)

1) From Slashdot today, False Fact On Wikipedia Proves Itself. This is an amusing little story of circular logic where someone erroneously updated Wikipedia, which was then used as the basis of multiple stories, which were in turn used to prove the validity of the erroneous Wikipedia entry. This isn't the first time this has happened, and I'm sure it won't be the last. Still, it poses an interesting challenge and dilemma.

2) According to The Bruce, Congress wants digital cameras to always click. Apparently they think that this absurd little rule would stop voyeurism. Apparently they're unfamiliar with the concept of "moving picture shows" and the advanced alien technology contained within the "camcorder" that makes voyeurism and exploitation just as possible without any clicking. This is what happens when luddites rules the world. Thank goodness our President is more technologically savvy...

3) The MN Supreme Court apparently isn't being heeded. Steve Bellovin has an in-depth article up about getting access to breathalyzer source code. The MN SC ruled a while back that defendants should be allowed access to the code - which, incidentally, is owned by the State - to aid in their defense. It turns out that breathalyzers use a rough average for calculating what's considered an ok level for a person, not taking into account numerous variables. If you blow a .08 (the legal limit), then depending on your body make-up, this may actually be a high score, meaning it's inaccurate. Rather than codify a +/- tolerance in the readings, they're taken at face value. As such, it's worthwhile to see the source code to determine what assumptions were made and to see if they impact the defendant favorably or unfavorably. This just highlights where an approximation is treated as an absolute measurement, leading to the potential for the unfair prosecution of people.

A few quick thoughts from recent sports news...

By now everybody has heard about Michael Phelps and the bong photo-op. What this should teach us is the importance of evaluating risks before making a decision. No matter what your personal opinions are on the legalization/demonization of weed, the bottom line here is that, today, in the US, it's illegal (except in certain states for certain medical reasons), and as such, one should look at the broad spectrum of risks involve in imbibing. For Michael Phelps, it seems clear that he overlooked a few minor details when making his risk decision... details like that he's an internationally recognizable sports star, that he's often looked at as a role model, and that getting caught could (and eventually did) mean losing millions of dollars in endorsements. Of course, after his DUI arrest a few years ago, none of this should surprise us... I do, however, find it amusing that Rosetta Stone chose him for their ads, since he doesn't seem to be the brightest bulb. He should just be glad that he's not a Japanese sumo wrestler, as the consequences for this offense would have been permanent and life-long.

The other story of interest is on American downhill phenom Lindsey Vonn, who had to get her hand stitched up after shredding it on a bottle of champagne. I'd be curious about the details, but one thing here is for sure: there should not be a global ban on champagne bottles. In contrast to the bad risk decision made by Phelps, this sounds like somewhat of a freak accident. Maybe we'll find out that Vonn was engaging in risky behavior, but I'm guessing/hoping it's pretty innocent. Nonetheless, don't be surprised if somebody somewhere institutes some sort of new rules about champagne bottles at post-event celebrations.

I've gotten to the point that I'm tired of continually referring back to the PCI DSS document over and over again simply to figure out what it is that still needs to be done. In order to better wrap my brain around things, then, I decided to summarize the requirements as best as possible, including specifying action items under each high-level requirement based on the detailed requirements contained therein. Since I found this to be useful, I thought others might, too. Comments extremely welcomed as improving this benefits everyone. In terms of length, this fits into a reasonably-formatted 12-page document now, as opposed to the 59 pages used in the standard.

I. Introduction

The Payment Card Industry Data Security Standard (PCI DSS, or PCI for shore) version 1.2 was released in Fall 2008. This release was the third iteration of PCI, and represents its continuing evolution. Version 1.2 is structured in the manner of the audit procedures guide of previous versions, making the standard easier to comprehend from an implementation standpoint. That being said, the standard lacks an implementation guide that sets forth action items against which an enterprise can execute. That is the goal of this document.

Scope of Requirements

Contrary to popular belief, not all requirements are limited to just the cardholder data. As such, it is imperative that the scope of requirements be carefully considered and understood when planning for remediation.

Reference
The full standard and supporting documentation is available from:
https://www.pcisecuritystandards.org/

Document Approach
The approach of this document is to list a requirement, summarize it as concisely as possible, and then list actionable requirements. All statements are derived directly from PCI DSS 1.2.

Disclaimer
The author is not a PCI Qualified Security Assessor (QSA). When in doubt, it is best to err on the side of caution. If you’re subject to external assessment by a QSA, then you should work closely with them to get questions answered suitably, especially in the case of planned compensating controls.

lulz! Pirate iz d4 b0mbz!

If you need a good chuckle, please go read my friend Pirate's blog. He has a "1337" AIM SN that draws all sorts of interesting random babble. A good way to laugh your day away. :) There is, incidentally, some security tidbits to glean from here... in particular, some first-hand observations of (weakly) attempted social engineering...

This quote reminds me of the security programs for many large orgs... :

Putt's Law: "Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand."

Security Focus has an article up, "Man-in-the-middle attack sidesteps SSL", talking about how changes in default browser behavior have resulted in a less secure posture that facilitates MITM attacks.

In an homage to resourcefulness, this reformed felon is looking to apply his high-end skills, including in security and computers, in his post-confinement life/career.

In a tribute to more shoddy Science... it turns out that the National Snow and Ice Data Center (NSIDC) has botched their measurements by using an obsoleted method in estimating Arctic ice/snow coverage... from a security perspective, this really highlights the importance of good data... look at the current financial meltdown on Wall Street... by most accounts, the crisis was largely due to very poor risk management decisions thanks to poor risk evaluations... this is very much a case of "garbage in, garbage out"... we must all learn to put a critical eye on numbers - particularly statistics...

Speaking of getting things right... it seems that the tide is turning a bit on the notion that we should live in fear of terrorists... The Bruce has a post up this week titled "Terrorism Common Sense from MI6" where a former big wig from Britain's MI6 spy agency talks about how there are far worse things to be concerned with than the random terrorist attack.

My friend Wade recently posted his thoughts on how to go about building a security team. For the most part, I found his comments to be spot-on, with one major, glaring exception. At the end of his post, he starts talking about getting into planning and measurements once you have your team in place, overlooking one major area: risk management.

Now, in his defense, Wade's objective was sharing his thoughts on how to build a good security team, starting with a good security manager who actually understands things. You cannot simply put a well-connected talking head in place and expect them to be successful managing security without the necessary technical know-how to grok what is going on. That being said, choosing who to hire and when to hire them, as well as making decisions about what technologies to leverage within your security team, must be based on sound risk management principles.

When I'm talking about "risk management" here, I'm really talking from a high level, and I'm including risk assessment and measurement as part of the equation. Plain and simple, if you're charged with building a security team and managing security objectives, one of your top challenges will be prioritization of work and resources. With security, it's very easy to let oneself slip into semi-anarchic ways where you are quickly overwhelmed that all that needs to be done. In order to keep the tigers at bay you need to make use of sound decision-making practices that prioritize your workload on a few criteria.

James McGovern has an excellent post recently on how agile development has grown to become the antithesis to security (see "Agile is the antithesis to security..."). He argues, quite correctly, that agile development is really just short-hand for "really crappy coding practices". As Telic Thoughts discusses, security has to be built-in via quality software engineering principles - the very thing that is missing from agile dev practices. Unfortunately, these days there is very little "engineering" involved in software development. To me, this seems to be a side-effect of the evolution of the Internet. Most "applications" are web-based, written in some sort of scripting language, rarely compiled, and almost never optimized.

These practices, or lack thereof, contribute to a state of insecurity that plagues the enterprise. However, none of this should surprise us because there's little incentive for businesses to implement secure practices (see Bruce Schneier's post "Perverse Security Incentives"). Business is incentivized to do what the business ideally does best: make money. Anything that gets in the way of that purpose - including security - is often seen as a negative detractor; something to be ignored. Oftentimes we in the security industry make it very easy for this attitude to pervade the enterprise, putting us at a disadvantage.

When you get down to it, the trick here is in finding a way to position security as an enabler; as a way to optimize the business. As Schneier notes in his post, Legal departments have been successfully making this case for years. After all, if you reduce liability exposure, you're reducing the risk of a significant financial loss. For security - and, really we should say IT security - we need to accomplish the same task within our different genre. Reducing risk resulting from poor IT security practices should be seen as a way of reducing the likelihood of financial loss. In fact, this is the exact goal that regulations like the Payment Card Industry Data Security Standard (PCI DSS) are hoping to accomplish (leaving aside who is making the changes and whose risk is being reduced).

Two unrelated items, but I thought they were worth highlighting in case you hadn't heard the news...

First up, The Bruce has a post on "More European Chip and Pin Insecurity" talking about how the current implement of Chip and PIN capabilities in UK credit cards is so shoddy that it's hackable. Oh, sigh... it's hard to harp on the card brands here in the US to move to chip and PIN when the implementations aren't working very well. I'm personally of the opinion that we need smartchips with an RSA-token-like 1-time code displayed on the card itself to use with each transaction. Combine that with the CVV2 value, zip code, etc, and you hopefully would have enough factors to start getting a handle on credit card fraud... maybe... sort of... :)

Second up, if you've not heard, Microsoft is suing TomTom over some sort of wonky patent infringement blah-de-blah... *yawn* Ok, but anyway... it's starting to look, however, like Microsoft is really trying to attack Linux through this attack... Slashdot has a post on it here that's worth scanning... let's hope that MS is no more successful here than they were backing SCO... and, moreover, let's hope for the day when MS learns to embrace their competition, rather than resort to underhanded legal attacks... it's kind of an old, tired meme, don't you think? ;)

Alright, time for a snarky request for public intervention... :) If anybody out there knows anybody in the State of Colorado's Office of Technology, you might want to perform your public service act of kindness of the month and go kindly inform them that, no, IE6 (!!!) is not more secure than Mozilla Firefox. As noted on Slashdot, making such assertions to the contrary (that IE6 is, like, the most securest-est browser ever, man) really undermines the credibility of the agency.

Source: Slashdot: "State of Colorado Calls Firefox Insecure, IE6 Safe"

Just a quick quip on an interesting interaction with BestBuy.com support. I received a called from "Restricted" on which I was advised by someone purporting to be from BestBuy.com that my back-ordered purchase was not successfully receiving a credit card authorization. It turns out that BestBuy.com re-authorizes the credit card transaction every 5 days. When an item is back-ordered for a long time, this eventually results in the issuing bank blocking further transactions. BestBuy.com support then called me to request that I call my card issuing bank and ask them to approve the authorization. SERIOUSLY?!? Quite literally, by following a stupid practice that they know causes problems, they've chosen to make it the customer's problem rather than fix their process.

What I find interesting here is that, really, there should only ever be 2 transactions. At the time of purchase there should be an authorization check, and then nothing further should happen until the product is ready to ship. At the ship time, the card should be run and charged, and if that fails, then and only then should BestBuy.com support be triggered to call the person. And, at that, a phone call shouldn't even be necessary. A simple "We're ready to ship, but your credit card declined." email would be more than adequate. Provide a contact number if more information is needed, but that's about it.

Of course, in either case there's a significant fraud risk. My example reads like a possible phish. *sigh* But the phone call wasn't much better. And, what's really weird is that they asked me to call my bank. Imagine running a scam where you're trying to make a false charge and it's being blocked. Just call the consumer and ask them to unblock it? Really? *sigh* Maybe it would be better simply to cancel the order if the credit card fails, requiring the user to go purchase it again? I'm sure business would love to hear that solution... of course, I wonder how much money they're spending on these phone calls asking people to unblock their repetitive authorization charge?

First, some quick acronym definitions before I go acronym crazy...
OASIS - Organization for the Advancement of Structured Information Standards
EKMI - Encryption Key Management Infrastructure
KMIP - Key Management Interoperability Protocol
TC - Technical Committe

Quick background: The EKMI TC was formed in 2007 to create standards around the topic of Encryption Key Management Infrastructure, or EKMI for short. EKMI is the combined management of PKI and Symmetric Key Management Systems. The notion is that both types of systems deal with encryption keys (asymmetric and symmetric), and thus should be fully interoperable and managed jointly. Contrary to some reports, EKMI is not just an XML protocol. The goal of the EKMI TC was nothing short of developing a standard for securely managing any type of encryption key.

The controversy: In February 2009, several major vendors, including IBM, HP, and RSA, announced that they were chartering a new OASIS TC - KMIP. Ironically, some of the people chartering this new TC had been members (though not regular participants) in the EKMI TC as well as the (dysfunctional) IEEE P1619.3 standards committee. By all appearances, the KMIP charter has significant overlap with the EKMI charter, and it is not clear at all why the TC was allowed to go forward, except that under OASIS charter rules due diligence is not required. In essence, a group of vendors can get together and launch their own charter without determining whether or not there is overlap or congruence with existing OASIS TCs. The OASIS argument is that competition is good, but this seems to fly in the face of the OASIS mission, which is to drive "the development, convergence and adoption of open standards for the global information society."

I always enjoy it when security-related topics make it into the comics... the more mainstream fundamental security concepts get, the better hope I have that we might some day make real progress... ;)

(Click-through to see them in their entirety)

:)

Are you familiar with the classic South Park episode "The Underpants Business"? For some strange reason it reminded me of PCI compliance today...

Phase 1: Publish PCI DSS
Phase 2: ???
Phase 3: Security!

If you're a user of Facebook, then you probably got a bazillion PicDoodle notifications early last week. In fact, if you clicked on a link, you probably generated part of those notifications. According to Facebook, it was just a broken app and not spam. Frankly, I don't care how you explain it away, it was bad. So, I sent a spam notification to Facebook saying "this app is killing us - please kill it". Now, the proper response here would have been to route it to the right people and fix the problem. However, here's the response I got from Facebook instead:

Hi Benjamin,

Thank you for reporting this potential abuse. Your issue relates to an application that was not built by Facebook. Unfortunately, Facebook cannot provide service for applications built by third parties, so you will need to contact the developer of the application directly. To do this, please visit the application's About page and use the "Report Application" link at the bottom of the page. Be sure to give a detailed, accurate description of the problem and include links (URLs) to the relevant pages.

Facebook is not responsible for the support provided by this developer. If you continue to have problems, please note that you can remove and restrict applications by clicking on the Applications menu in the bottom left corner of any Facebook page and selecting the "Edit All" link.

Thanks,

User Operations
Facebook

Greetings! RSA is coming up quickly - less than a month away, now. Are you going? Want to get together? Drop me a note and I'll see what we can work out.

Need a reason to go? How about this: The MythBusters (Adam & Jaime) are keynote speakers this year! WOOHOO! :)

Unable to pay for a delegate pass this year? Fear not! RSA is offering a scholarship this year to 25 luck recipients. Here are some of the requirements:
   * Must be an information security professional (practitioner, security architect or similar role);
   * Must have attended the 2007 or 2008 RSA Conference as a full conference delegate;
   * Complete a 1000 character explanation on “Why I need to attend RSA Conference 2009”; and
   * Complete a 750 character biography

Deadline is April 2nd!!! See the following for more info:
http://www.rsaconference.com/2009/us/scholarship.htm

RSA Conference is also having a Six Word Memoirs "contest" in which people describe their life in security in six words. The memoirs will be posted throughout the conference. If you'd like to participate, go here: https://365.rsaconference.com/community/rsaconference2009

There's an ancient religious aphorism that it's easier for an elephant (or camel) to be threaded through the eye of a needle than it is for (insert your religious preference here). For some reason, while reading Jeff Hawkins' On Intelligence last night the thought occurred to me that PCI is the elephant and our limited budgets are the eye of the needle.

The cost of PCI compliance is getting to be quite staggering. According to a blog post from ElementPS in February, a Gartner survey found that the average Level 1 merchant spent $2.7 million on PCI compliance in 2008, while the average Level 2 merchant spent $1.1 million. In case you're wondering, that's a lot of money!

Toward this end, the PCI Security Council has released a "Prioritized Approach for DSS 1.2" that can help organizations better plan their compliance efforts. Of course, this report comes with the standard caveats that full compliance is still expected, there are no shortcuts, yada yada yada.

So, what's a person to do? Well, it seems to me that you have two choices: shrink the elephant or get a bigger needle eye.

Anton had an interesting post up yesterday titled "Five Reasons to Dislike PCI DSS – And Why They Are WRONG!". As per usual, it's decent writing, EXCEPT that poor Anton is wrong himself (not to mention that he listed 5 "wrong" things, but then the fifth he says "right" to - a little confused by that!:).

So, the two "wrong" reasons that I take issue with are:

1. PCI DSS is a distraction from “real” risk management and security: WRONG!
2. PCI is just checklist security: WRONG!

Here's the thing, I why I have to disagree with him... perception is far more important than reality. Just because the PCI Security Council actually intended for a risk-based approach, and just because they did not intend for it to be checklist security, does not mean this is in fact how it is perceived, let alone used. The fatal flaw is that the preamble of PCI in the beginning (v1.0) did not start "the following may appear to be a prescriptive checklist, but it is instead a way to benchmark organizational maturity using a risk-based model." The fact of the matter is that the PCI DSS does not define risk, does not tell you to setup a risk-based model, does not talk about maturity, etc. They tell you prescriptively what you have to do to become compliant. It's really a hideously bad thing, precisely because of Anton's #3 ("We “got compliant” and now we are breached – it’s PCI’s fault: WRONG!").

The folly behind all this is: if you tell people specifically what needs to be done to achieve compliance, they will do that, and only that. It's the path of least resistance. And no matter how much you disclaim that "PCI compliance does not make you hacker proof" people will still think that compliance == security. Is this right? No. Does this make sense? No. Well, sort of. The problem is that people (generically) still do not fully understand information security. The feedback loops simply don't exist in the brain yet for understanding and reacting to infosec.

So, to Anton, and others, I say that the PCI DSS has brought us to this failure scenario precisely because it used the wrong approach in communicating its mission and intent. The goal stated has always been one of compliance, rather than one of risk reduction, risk resiliency, or proper risk management. The reason we know the goal has always been compliance is because it's mandatory to meet all of their prescriptive requirements. This makes PCI DSS checklist security, whether they intended it to be that or not. Why? Because that's the path of least resistance - the easiest way to get that box checked.

Greetings! Sorry not to be more substantive lately - saving my energy for RSA, which I leave for TONIGHT. OOF! :) Wanted to share 3 interesting posts from today, in case you missed them...

1) The DNI Email: @jack_daniel comments on receiving an email from the Director of National Intelligence on the released torture memos. I got one, too. Current theory is that they sent it to the RSA press or attendee list. Did you get an email with it, too? Interesting...

2) Lindstrom's Confused Again: Old buddy Peter Lindstrom posted about risk today, but I'm not sure his post makes much sense. Sure, the first bit on likelihood seems right - probability of bad stuff happening is indeed rather important for risk assessment/calculation. However, he goes on to say "...we often suggest that in order to quantify risk we must quantify our consequences as well, but this isn’t the case. Since we are identifying unwanted outcomes anyway, in many cases we implicitly understand the value or loss involved..." which makes me wonder, Is this really true? I'm not sure that we do implicitly understand losses very often. In fact, I'd say that this is one of the core cognitive dissonances with infosec: people really truly do not implicitly (or fundamentally) understand the consequences that stem from their actions online. Think about it. :)

3) Facebook's "Democracy Theater": As suspected, Facebook's new rules have been released and they're really no better than the last go-round. The difference? People now think that things are better. However, according to Light Blue Touchpaper, they're not. Oh, sigh.

If you're coming to RSA, hope to see you next week! I'll be in ABA meetings Sat/Sun, bouncing around Monday, largely free Tuesday, reception-hopping Wednesday, rolling (Gracie Jiu-Jitsu) with @jeremiahg and @Beaker Thursday, and so on. w00t! :)

I've finally had a chance to sit down and read "PCI Shrugged: Debunking Criticisms of PCI DSS" by Anton Chuvakin and Ben Rothke. My response to the article can also be construed as a follow-up to my earlier post, here.

Overall, I take great issue with the article and assertions made. My primary critique is that they're debunking "myths" or "criticisms" that are based in reality, not in abstract and obscure theoretical PCI realms. It does not matter what the PCI Security Council wants us to believe about the DSS. It only matters how the DSS is used and perceived by those required to comply with it. The simple fact is that the DSS is a checklist (see the SAQ for example) that has a very narrow scope (billing systems with credit card numbers) and that does not look at larger concepts like risk or maturity.

That being said, allow me to do a section-by-section rebuttal.

Greetings from unseasonably hot San Francisco! Monday was the last pre-RSA day, with 1-day workshops galore. Unfortunately, the press are barred from the workshops, so I attended minimetricon at Google. Talk about a good experience! Particular standouts were presentations from Jeremiah Grossman (real stats on web vulns and attacks) and a discussion of the Verizon Data Breach Incident Report with respect to PCI compliance. It turns out that about 19% of compliant companies get hacked, but in the end it looks like those companies are likely not compliant, either at the time of the attack, or in general. An interesting tidbit from Jeremiah was that XSS is quite prevalent and not frequently resolved, often because of a business need. I asked if the lack of resolution was due to laziness or a lack of viable alternatives and it turns out to be the latter (nice for a change). There simply aren't good alternatives for sites - particular Web 2.0 properties.

Back at RSA, I was able to check out the Innovation Sandbox. Overall, not sure how innovative stuff was (what do I know? AlertEnterprise won, and they do event log and security event management stuff for blended attacks). There were a couple interesting vendors: Yubico, makers of a USB auth token dealy that integrates with OpenID for strong auth on internet services; and BehavioSec, which was a typing behavior analysis program that ran real-time and would detect an intruder on the keyboard, blocking them, etc.

Beyond the Innovation Sandbox, I spent a bit touring the Expo, though didn't get nearly as far as I'd hope. I have scoped out some vendors for sit-down interviews later in the week, as well as have a bead on Bob Griffin at RSA to get the skinny on the new OASIS KMIP TC. I'll blog more about vendors as I interview them.

Post-Expo a bunch of us wandered over to Kate O'Briens for BaySec, which was a lot of fun, though I didn't socialize nearly enough. From BaySec we bounced to the Qualys reception, where I got to meet Anton's wonderful wife. The reception was a nice transition from the open-air pub of BaySec where it had to be in the 90s inside. Overall, it was a fun day, and it promises to be an even better week once the interviews start rolling - stay tuned! :)

I almost thought I'd see a vendor weep today. Despite official tweets to the contrary, the Expo is not very busy. I'd say the vendors outnumbered attendees this afternoon by at least 2-to-1, and if you remove the press from the attendees, that number is probably more in the 3-5 to 1 range. In other words, it's going to be interesting to see what happens next year after vendors take a hit this year. RSA is not a cheap show to exhibit at, and to have such low turnout can be brutal.

Because of the late hour, I'm not going to do vendor blogs today. Hopefully Th/Fri I'll have time to catch up on those. Suffice to say, there are way too many USB devices, none of which are very interesting. I did, however, have a chance to chat with Alert Enterprise, winner of the Innovation Sandbox earlier this week, as well as Solera Networks, a competitor to NetWitness.

In terms of talks, I briefly sat in on the Cryptographers Panel, but quickly grew bored of the material duplicated from last year. In the afternoon I attended the "Groundhog Day" panel with David Mortman, Martin McKaey, Ron Woerner, and Rich Mogull, moderated by Mike Rothman. In other words, a very fun group! I attempted to live-tweet the panel, with moderate success. You can read those posts here.