As you are reading this, my flight back to ATL should be climbing up through 10,000 feet on my way back home. Another year, another Black Hat, another set of things that are sure to kill us somewhere down the line, another few parties, and another frantic ride back to the airport.

Day 2 was a bit more sedate than Day 1, though that may have more to do with my hangover (that I finally chased away about 3 PM). I also skipped the keynote, though I heard it was pretty good. Here's a brief rundown of the sessions I did today.

• Satan is on my friends list: This session went deep into some of the tricks you can use on Facebook, MySpace, and LinkedIn to make the application do unexpected things. The most interesting thing is that the attacks were shockingly simple. No wonder these social network sites are such havens for malware, leveraging XSS, CSRF and all sorts of other attack vectors. Shawn Moyer and Nathan Hamiel also ran a little experiment in adding Marcus Ranum (with his permission) to LinkedIn and added about 60 connections within a day. One of the last recommendations was to make sure you had a profile on each of the sites. Not because you plan to use it, but because you should get one out there before the bad guys do. At least the inimitable Ranum now has a profile.
• No More Signatures: Defending Web Apps with ModProfiler: I was pretty disappointed with this session from Breach's Ivan Ristic and Ofar Shezaf. They spent the first 45 minutes explaining what a web application firewall is and some specifics about ModSecurity (the open source version). I was there to hear about ModProfiler, which is a new project focused on more effectively leveraging a positive (if it's not explicitly allowed, then it's not allowed) web application security model. They only spent maybe 30 minutes on that and didn't show the code or a demo or anything. Maybe they did in the last 15 minutes, but I left before then. You shouldn't make people wait for an hour to get to the technology mentioned in the title of the pitch.
• Get Rich or Die Trying: Jeremiah did a great job going over quite a few scams that really leverage web technologies, kind of. Most took advantage of weaknesses in the web application, as opposed to actually security flaws. And to see some of the real simple stuff (like having press releases accessible before they hit the wire by figuring out the naming sequence), and how one woman made about $400,000 by selling merchandise that QVC shipped her even after she canceled the transaction. So, the moral of the story is that company's should probably pay their Q/A people a lot more money (or get new ones) to find this stuff before an application goes live.

And that's all she wrote. Back to a regular publishing schedule next week. Enjoy your weekend.

 

Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.

I ended up hitting almost all the sessions I wanted to, so let me go through some quick observations.

•  Keynote: Ian Angell, Professor London School of Economics - Professor Angell is a pretty engaging character and I enjoy his systematic skewering of the common knowledge about risk and what we can really control. Which is basically nothing.
• Bad Sushi: Nitesh Dhanjani and Billy Rios - As mentioned on Tuesday, I was looking forward to this session and it was a lot of fun. Especially when they pulled the RickRolling prank on the phishers and to see how many of them fell for it was great. Sometimes it's nice to strike back, although it doesn't have much of an impact on how we do things.
• Kaminsky's DNS talk: It was packed. I mean PACKED. And Dan delivered the goods. The thing that resonated the most is how dependent we are on DNS for pretty much everything, and if DNS is not trustworthy, we've got a real problem. Lots of innovative ways to comprise stuff assuming the bad guys own DNS and plenty of other goodies. I have some larger thoughts about the DNS topic, which I'll write up for Monday, but the only conclusion you can really draw is that we're screwed. But isn't that what Black Hat is all about? Giving security folks that uneasy feeling of not being able to keep up with all the attacks?
• Hoff's Four Horseman: The Hoff delivered the goods as well. First of all, the slides were very pretty. You should check them out. But aside from the aesthetic beauty of the content, Chris really put into question a lot of the assumptions many folks are making about securing the virtualization layer. Rich did a good write-up of Hoff's pitch and other Black Hat topics.
• Network Monitoring, Bruce Potter: I hadn't seen Bruce speak before and it was very entertaining. But most interesting was the very compelling case he made for why you need to monitor your networks using something like Netflow. He also talked a bit about a new open source tool called Psyche that his team is releasing and it looks pretty cool. It's nice to see the idea of network monitoring being discussed on the big stage. Of course, there are folks like Bejtlich that have been beating that drum for years. But given all the other stuff we're seeing at the show this week (basically we're screwed), the idea of figuring out everything isn't going to happen. So we need to REACT FASTER and monitoring is the way to do that.

The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site.

Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are catching a little late night breakfast at Caesars. Sitting right next to us is Jeff Dye, one of the finalists on this season's Last Comic Standing. You all know what big fans of comedy the Boss and I are, so it was great to see him in person. He's a very nice guy and he really is that pretty. They are announcing the winner of the show tonight, so I told Jeff we'd be pulling for him.

Only in Vegas...

Interestingly enough, I tried to register for Clear this morning on my way out to Vegas. They are rolling out the service in ATL and given the amount I fly, I figured it would be a good investment. The folks at the desk were kind enough to tell me the computer systems were down and that I'd need to come back later.

Upon arrival, I connected to via my EVDO card (no WiFi in Vegas with all the haXors around) and tried to do the online registration (so I could finish up when I get back to ATL). But the application was being upgraded. 

Actually no, the TSA has put the kibosh on Clear while they mop up the mess of a lost laptop. Thanks Breach Blog, now I know what is going on. How about that laptop encryption? I can see the commercial now:

• Cost of laptop encryption: $100 per agent
• Lost revenue from a data breach: $zillions
• Reality that the TSA is putting you in the penalty box for years for violating their trust: Priceless

And for those already in the Clear. You've been pwned! Now the bad guys have your retinal scans and fingerprints. They don't even need to chop your fingers off anymore to beat the biometrics. Actually, I'm kidding, I'm not sure what data was stolen.

It never ends.

 

Hard to believe, it's time for another Black Hat conference. This is my third, and as I sit in the airport waiting to head out to Vegas, I'm eagerly anticipating the show. For lots of reasons, but mostly because it's the only show I attend to actually learn something. It's not like RSA or CSI are big on "education." I certainly know that I don't know it all, but Black Hat is a place where I can hang out with guys a lot smarter than me. And that's a good thing.

Even if the show has gotten a bit corporate. 

As others have mentioned, Black Hat/DEFCON are not the places to be careless about your computer security. Now that BH is doing the Wall of Sheep as well, no one is safe. I was at Rob Graham's session last year where he pulled up some poor saps Gmail through his sidejacking attack. That ain't going to be me.

So what do I do? WiFi is OFF. Period. Until I get back to ATL on Friday, WiFi is off. I'll just rely on my Verizon card for the few times I'm in my room and connected. I don't carry my laptop at the show, rather relying on good old fashion paper and pen to take notes. I may do a quick post or two from my iPhone (3G, I upgraded over the weekend), but for the most part I'll be mostly disconnected.

Speaking of my iPhone, WiFi is off on that as well. I'm also turning off Bluetooth. That means I'll be the silly one with the wired headset. But I'm not sure what new attacks have emerged, so I'll suffer the wired life for a few days. I'm also turning off the GPS. It's not like I'm going to get lost in Vegas, and again although I haven't heard of specific GPS attacks, why risk it?

Yes, clearly it's paranoia in full effect. But better to be safe (if a bit disconnected) than sorry. That's for sure.

In terms of sessions, a few caught my eye:

1. Bad Sushi: Beating Phishers at their Own Game (Wednesday, 10 AM): I'm going to see my friend Nitesh Dhanjani and Billy Rios do their anti-phishing talk. Clearly there are both process and technical defenses against the phishermen.
2. DNS Goodness (Wednesday, 11:15) - Obviously Kaminsky's session is going to be a circus. They should probably move it into the keynote room to accomodate everyone. Not sure I want to fight the masses to attend, but I'm sure it will be interesting.
3. The Four Horsement of the Virtualization Security Apocolypse (Wednesday, 1:45) - I've got to be there to support my boy Hoff and I'm actually interested in how he's evolved his pitch. I also heard (from the horses mouth) that the slides are real pretty, so I'll probably take a few presentation pointers from the Rational one.
4. Malware Detection through Network Flow Analysis (Wednesday, 3:15) - Since part of my schtick is REACT FASTER, Bruce Potter will be previewing a new version of his flow analysis tool, and that may fit the bill. Lord knows a lot of the NBA tools are way to heavy and high end for the mass market, so an open source alternative could be interesting.
5. Exploiting Google Gadgets (Wednesday, 3:15) - I'll also try to swing by RSnake's pitch, where he and Tom Stracener will be exploiting Google Toolbar and discussing a zero day. Woo Hoo.
6. Satan is on my Friends list (Thursday, 10) - I'm fascinated with this social networking thing and figuring out how to exploit it is pretty interesting. There is a lot of cutting edge research happening around this area.
7. No More Signatures: Defending Web Applications from Zero Day Attacks (Thursday, 11:15) - Yes, I plan to go see Sir Ivan and Ofar Shezaf discuss how profiling traffic can help defend web apps. This sounds like a positive security model and I think that's a pretty important aspect of defending the web apps.
8. Get Rich or Die Trying (Thursday, 3:15) - I'm also going to see Jeremiah do his logic flaws pitch. These are very interesting attack vectors and I'm looking forward to seeing how Jeremiah and Arian go through an pwn applications via the developers own mistakes.

I'm sure there are others, or maybe not. I tend to like to keep my schedule pretty fluid at Black Hat. I'll be hitting the party scene as well, so I hope to see at least some of you in Vegas.

Safe Travels.

It's been quite a while since I penned the original "Big is the New Small" piece back in February of 2006. Obviously a lot has changed and happened in the security space since then. So I figure on the first Monday in August, I'd revisit that position and figure out if it was still relevant.

To refresh everyone's memory, Big is the New Small was the moniker I came up with to describe why consolidation was happening in security and why it was going to continue. Customers were increasingly fed up with the idea of having to manage multiple products from multiple vendors to handle mature, somewhat commodity functions. And all things being equal, they want to buy these solutions from "Big Security," the large publicly held companies that have staying power.

Much of this has come to pass. The Big have gotten bigger by continuing to acquire technologies to fill out their product families. Large companies have always acquired smaller companies, that's nothing new. And the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

These ideas also are NOT an indictment of innovation, as many of the small vendors called it. It was a pragmatic view of how the industry is working now. Some choose to fight it, until Big Security swings by with a bag of money. Then they get religion pretty quickly. But even that isn't the point.

The point is that over the last 2 years, customers are looking for security that is "good enough." The main issue is that without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Since security remains an expense and an overhead item, the natural inclination is to minimize cost, and that means to buy solutions that aren't the most expensive, but meet the needs in the most cost effective mechanism. That's this entire drive to doing security in the cloud. Since it's good enough, we may as well have someone else deal with it.

By no means am I saying that our protection is good enough, it's not. But I don't think it's because we have a lack of tools or knowledge. We collectively suck at protecting information not because we don't know what to do. We suck because we just don't do it. If we would actually use half the crap we've bought, and build a strong and credible security program - things would be a lot better.

Not perfect, but better.

But we don't, so it's not. Thus, good enough is here to stay. And as long as good enough is the primary criteria for most product/service purchases, it favors Big Security. They aren't much, but they are usually good enough.

Photo credit: "Good enough" originally uploaded by russelldavies

As predicted, the DLP market continues to consolidate on it's way to eventually disappearing. McAfee announced as part of their earnings release that they are acquiring Reconnex for $46 million in cash. This is a good deal for McAfee for lots of reasons. I don't think they are going be "redefining the data protection market" as stated in their press release - but there are positives.

1. All the cool kids have one - McAfee needed to bolster their DLP position because their benchmarks, Symantec, Trend, EMC/RSA, and Websense, already acquired assets in this space. They also realized the endpoint centric product they've brought to market (based on the Onigma acquisition) wasn't going to get them there. Reconnex is one of the last independents standing, so it's not a surprise they got taken out.
   
   
2. DLP is a feature - As I've mentioned, DLP is not a market category that is going to stand alone. These capabilities need to be built into bigger security, and eventually general IT infrastructure. McAfee now has some more technology to foster that kind of integration and value add.

Of course, all that glitters is never gold, so there are some things to watch for, especially around channel mismatch. McAfee doesn't really have a high end services/implementation business to drive big DLP implementations. And their channel tends to focus more on mid-sized companies. Sure they do some big deals (around endpoint security and some IPS), but there could be a bit of an impedance mismatch when the reality of DLP deployment cycles sets in.

How about that price?

But any potential issues with the deal are offset by the price. $46 million in cash. Wow! That is really a fire sale price for a company with seemingly a lot of momentum. I guess seemingly is with a capital SEEMINGLY.

Reconnex had raised $37 million in VC funding. So the VCs get their money out, the management team (mostly executives) maybe gets a little carve out, and the rank and file get screwed. Of course, that is speculation on my part, but having seen enough of these deals - I'm probably not too far off.

This is just yet another example of the reality that you cannot believe all your read. Check out the momentum release from TWO WEEKS ago. If you take the words on the surface, things are going great. Lots of growth, named a leader in that quadrant thingy, yada yada. The print isn't even dry on that release and they sell for not much more than DeWalt's expense account.

I'm sure there is some kind of back story here, and I'm sure it's not real pretty. But at the end of the day, they got a deal done. Bully for them. And once again, McAfee shows it's one of the shrewdest buyers in the space. They won't have to turn many Reconnex lemons into lemonade to make the deal pay big time.

Photo credit: "Cheap Store" originally uploaded by ZannaLyon