August 2, 2007 - Volume 2, #114

Good Morning:
I'm happy to say I survived Black Hat Day 1. Saw a few good sessions, met up with some old friends and made some new ones. Given what seems to be the significant growth of Black Hat, I figure I should provide some tips that I've learned over the past two years on how to get the most out of the show. So without further ado, here is Incite's top 5 list of things to bring to Black Hat:

1. Comfortable shoes - Do not forget comfortable shoes. You don't realize how friggin' big Vegas is until you need to go between a few hotels for a meeting or just between some of the session rooms. Some of my friends were giving me some angst about wearing Crocs on Tuesday night, but at least I was comfortable. Them in their alligator skin fancy footwear? Not so much.
   
2. Your liver - Black Hat is all about the parties and some sessions too. Your liver will get some exercise this week and if you are as out of drinking shape as I am, it kind of hurts. The Mozilla folks tried to buck the trend and have a milk and cookies party last night. I opted to skip that because I can get milk and cookies at home. A bunch of V/Ts on someone else's dime? Only in Vegas baby.
   
3. Your brain - Some of the sessions are technically deep and make you think. A lot. Until your head hurts. I saw Ptacek, Lawson, and Ferries session on virtualized hardware rootkits and they were talking about all sorts of deep technical stuff. At least I think that's what they were talking about. Also to set the record straight, Thomas Ptacek would rather I not call him the "king of security research marketing." Evidently it hurts his street cred. How about the Goth Prince of security research marketing? Does that work better for you man? I know you need to keep your jiggy on with your home-boys.
   
4. Your watch - The Black Hat sessions fill up. Fast. So unless you want to sit on the floor for 75 minutes, get there a few minutes early and get a seat. 
   
5. A translator - Much of the security research happening now is being done outside of the US. Security truly plays on a global stage. Unfortunately that does create some language barriers when non-English speaking researchers present their findings in their native tongues. Or is that English? Given the size and scope of Black Hat and the depth of technical information being presented, I think CMP should get translators for the sessions where presenters have weak English skills. That may make them stop the cash printing presses for a minute or two, but it would really improve the experience on both sides.

And I shouldn't forget to tell you about what you SHOULD forget, and that's your WiFi card. Just turn it off when you get to Vegas. A researcher friend was a bit upset that not enough people were using WiFi in the hotel and it was impacting his data collection efforts. If you use WiFi, they are going to try to hack you at Black Hat and moreso at DEFCON. I am loving my EVDO service now, as I can surf the web at Black Hat and not fear for the life of my computer.

That's until they break EVDO. But that's probably a topic at next year's Black Hat. Have a great weekend.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Ajax-ulation? Gross.
So what? - One of the sessions that I missed was Billy Hoffman's Premature Ajax-ulation, where he and Bryan Sullivan went into the issues around Ajax-based Web apps and how you can break them. A bunch of folks I know went to the session and said it was the best one of the day. InformationWeek's Larry Greenemeier was there and covered the session. Given the fact that no one is rolling out non-Ajax web stuff anymore, the session was both impactful and timely. Now get a towel and clean up that mess.
Link to this

SOA security starting to get attention
So what? - A session I did make it to was Brad Hill's Attacking Web Services security. He presented a good overview of the problem, but then made his contention that the best approach to securing Web services was to default back to SSL, as opposed to any of the message-oriented security approaches (namely WS-Security). He did make the point effectively that WS-Security is pretty complicated. SSL certainly is easier, although I wouldn't say issuing client-side certificates everywhere is a walk in the park. The reality is that it's too early to tell if Brad is right or wrong. We are first getting our arms around what SOA is and how it needs to be secured. I found this pretty detailed primer on SOA Security over at Dark Reading. It also does a good job of outlining the issue and discussing some of the standards uncertainty, but without bringing along the SSL Kool-Aid.
Link to this

VARs jump on the NAC bandwagon?
So what? - It's funny how the hype cycles ebb and flow in this business. A week ago I made a comment about how people aren't really talking that much about NAC and then for the last two weeks I've seen a ton of stuff about NAC. According to CRN, NAC presents a great opportunity for VARs. Well, yes and no. Since customers continue to be confused about what NAC is, there is clearly the opportunity to help them understand the technology and where it can/should fit in the customer's environment. The article also correctly points out that NAC spans a lot of different skill set, including desktop management. Yet with 30-40 vendors all trying to position NAC solutions, VARs must select their manufacturers carefully. There will be a shake-out (Caymas anyone?) and a lot of VARs and their customers will be left holding the bag.
Link to this

The Laundry List

Top Blog Postings

My take on the WSJ Top 10 article
It seems everyone and their mother and maybe even Grandma is weighing in on the very controversial Top 10 ways to get around your organization's security article. Beau Woods' write up is really good. As is Loner Vamp's. But I want to make sure we don't miss the point, which is the continued need to educate our users as to why these defenses are important and what we are protecting them from. The reason people will try to go around our defenses is because they don't understand the importance of adhering to the rules. Sure the WSJ was borderline irresponsible in publishing this, but it's not like a quick search wouldn't yield roughly the same information. If you do a crappy job of selling the reasons why the policies need to be followed, then you shouldn't be surprised that users go around you. Remember that it's easy to be Dr. No. It's much harder, but ultimately more important to be Mr. (or Ms.) Yes, But.
http://beauwoods.blogspot.com/2007/07/at-least-ten-things-wsj-got-wrong.html
Link to this

Data encryption not the panacea
Tom Olzak makes a great point in this post about data encryption. There is a time and place for crypto, but everywhere for everything is not it. Besides the cost and overhead, it's just not practical. That being said, we do need to figure out how to get to a more data-centric security posture. Maybe that will give Rob Newby a chance to smile and not be so grumpy today. For certain data types, encryption does make sense - but be wary of the cost of ownership and make sure you are doing crypto because it's the best way to solve the problem, not just that an auditor told you to encrypt some data. And as Tom says, make sure you really need to actually store that sensitive data.
http://blogs.ittoolbox.com/security/adventures/archives/again-data-encryption-is-not-a-cureall-17990
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite