Mike Rothman's blog

The Daily Incite - August 12, 2008

Submitted by Mike Rothman on Tue, 2008-08-12 06:52.
Today's Daily Incite

August 12, 2008 - Volume 3, #68

Good Morning:
I forgot how cool the Olympics are.  I can hardly remember what I had for breakfast, the odds of remembering anything that happened 4 years ago is remote. On Sunday night, I remembered. Athletes from around the world, competing mostly for national pride. Not entirely, but mostly. I'll admit to getting caught up in the drama, the background stories, and ultimately the sacrifice that these athletes make for years at a time to chase one shining moment.
Take that Frenchies!
And if they screw it up, it's gone. Likely to never come around again. It's the ultimate drama.

By now, most (if not all) of you should have heard about the American 4x100 freestyle relay team. What a race! The Boss and I were literally screaming at the TV at midnight. Yes, we woke up the kids. And yes, we paid dearly for the hour after the race was over. The last time I got that fired up watching sports was the Super Bowl, and before that I can't even remember.

We were also totally engaged in the women's gymnastics preliminaries. Although "women's" is probably a misnomer. It seemed a bunch of those competing were girls. Little girls at that. But those girls can flip, turn, tumble, and vault like nobodies business. They are fearless and focused.

To me, the best part is to see the athletes dig deeper than they thought they could. They routinely do things no one thinks is possible - even themselves. They push through the limits and show the world what they are made of. I tip my hat to all the Olympians. Whether they take Gold or just show up and compete. It's a tremendous accomplishment.

The best seat in the house is usually right in front of my big ass HDTV. But I'm thinking the Olympics is something you should attend at least once, if the opportunity presents and fortune smiles upon you. By the 2012 Summer Games in London, the kids may be old enough to appreciate it. Hmmmm. I better start saving now.

Have a great day. 

Photo: "YEAH, USA!!!" originally uploaded by mbtrama

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today


Security Mike's Guide to Internet Security

Top Security News

What kind of parachute fits on a pwnie?
So what? - Have you ever seen a flying pwnie? You will. With Delta offering WiFi in the sky, there is no doubt some enterprising "researcher" will bust out xStumbler and WireShark to see what he/she can find. How would anyone actually catch them? A little spoofing action and they are in the clear. And it's not like the Air Marshals are going to be much help. Do you think Delta is going to give up a revenue seat for a security pro? Yeah, right. I know WiFi in the sky is probably good for their revenue, but it's bad for unsuspecting customers, who couldn't defend themselves from a grade school crook. So basically they are sending a bunch of lambs to potential slaughter. I guess the best news is that a bad guy can only compromise 200 or so people at a time. Though flying on the A380 could yield a fiesta. Let's just say I'll remain happy to do some unconnected writing on my flights. Even if I do have WiFi.
Link to this

Countrywide...You are the weakest link.
So what? - So now it seems the Countrywide data breach could/should have been averted because they had a policy (and even some software) to shut down the USB ports. Except on the machine the nefarious insider used to pilfer the data. And there you have it. The weakest link is always the one that gets nailed. Moreover, the policy isn't worth the paper it's written on, if it's not enforced. Seriously. Countrywide gets an A for preventative controls. But they get an F for implementation. As my friend told me when I was trying to sell my house, "it only takes one." I guess Countrywide gets that now too.
Link to this

Yes, monitor your web apps too
So what? - I thought this new capability on Imperva's web application firewall to monitor the malicious inputs (amongst other things) and help provide actionable reports to developers as fascinating. You all know I'm a big fan of monitoring, and all other things being equal, I'll choose to monitor not just the network - but the servers, databases, and apps as well. As helpful as the monitoring info is to REACT FASTER, it would be great if you didn't actually have to react every time. So you could get attacked, find the issues in the application and then fix them. Of course, it's the "fix" part that is the most challenging because us security folk don't control that. So it still gets back to building and nurturing a good relationship with the development team and continue to evangelize why it's a good thing to eliminate issues before deployment, and this is just more data to make the point.
Link to this

The Laundry List

  1. JNPR plays into the eventual integration of network and security management by offering an integrated management console for the switches and the (former) NetScreens. - Juniper release
  2. MSFT introduces the "exploitability index" to protect consumers. So, a totally subjective index targeted towards a customer base that doesn't understand what "exploitability" means. Great. - Venturebeat coverage
  3. Guidance blows the quarter, stock get hammered and now it's time to change to a subscription model. It's hard to get off the perpetual license crack when the Street expects new growth. - Guidance earnings release
  4. Justice is served. You mean, the TJX hackers are brought to justice? Nah, now I'm forced to go buy some decent clothes, since I'm still boycotting TJX. - NetworkWorld coverage

Top Blog Postings

Too much GRC? It's more about tactical vs. strategic
Normally I wouldn't point to a vendor byline generally making the case for a GRC thingy. But Gordon Burnes of OpenPages makes a couple of good points in this article on the IT-Finance Connection blog. Basically his point is that "For each new regulation or risk discipline, organizations typically implement a new technology point-solution aimed at the specific mandate." Clearly there are problems with this approach. First you get no leverage. I know sometimes there are different operating groups that are responsible for different aspects of managing risk and ensuring compliance, but if there is no SINGLE coordinating point, what's the purpose. Remember that old story about the weakest link? Right, you have no idea what is weak or strong if you don't have a single view of the risk environment. The same can (and should) be applied to security (as if you can separate security from risk) in taking a SINGLE and holistic (hopefully not delusion) view of the security environment. That's why I push for the CISO to be focused on managing the program, as opposed to implementing and operating the controls. If he/she is too busy fighting fires, they miss the forest for the trees, and sooner or later they have to bring those fire department planes in to control the forest fire.
Link to this

A bug is a bug is a bug is a bug
Fortify's Roger Thornton rants a bit about this recent debate about open source security. I guess we just can't quite remember that every piece of software has bugs, and those bugs sometimes result in security issues. Roger's point is that open source is no panacea and is still going to have bugs. Yet, many in the open source community view these realities as personal affronts and strike back with venom and rage. Get over it. I agree with Roger that security issues are issues just like performance and functional issues. Especially if the application provides access to private data and/or intellectual property. But it's not sexy to focus on security issues and we security folk have to keep evangelizing the need to make the software better (over time) and focus on eliminating the defects sooner and better. And that goes for open source, commercial grade or home grown stuff. The attackers don't make a distinction and neither should you. 
Link to this

Only the rear view mirror knows your potential
I'm going to wrap today with an off-topic post. One of the things that frustrates me most about some folks I know is they are pre-occupied with what everyone else thinks of them. Other peoples perception drives what they do and how they feel about themselves. I work very hard to not give a crap. I do what I think is best for ME and my family and if someone else doesn't like it... Oh well. This post on Penelope Trunk's blog really sums up the entire discussion. Her main contention is that our only purpose in life is to be kind, and she's right. I spent a long long time not being kind, rather chasing some arbitrary dollar figure and stepping on lots of folks in the process. I was grumpy and I felt like a failure because I didn't have a plane (don't laugh, it's true). Then I stopped worrying about it. I started worrying more about having fun than making money. I figured it would work out in the end, so I just did things that seemed right, as opposed to what was the consensus view of how to do things. And I will continue to do that. I suspect people will be constantly scratching their heads at the stuff I do. Just know, you opinion - though interesting - is irrelevant. I'm not worried about what anyone else thinks about my choices. Anyhow, I figure I'm in the win column already, since my kindergarten teacher figured I'd never amount to much of anything. So now I'm playing with the house's money. Just have fun and stop worrying about everyone else. It's a much better way to live.
Link to this

Boiling the DNS puddle

Submitted by Mike Rothman on Mon, 2008-08-11 16:46.

I'm still rather haunted by Dan Kaminsky's DNS presentation from last week's Black Hat conference. As I mentioned in my Day 1 wrap-up, you forget how pretty much everything you do is dependent on having trustworthy DNS. Dan showed that DNS is anything but trustworthy.

So I spent some time trying to figure out how to solve the problem. Sure, a lot of really smart folks spent some time doing the same. And they couldn't really see a tangible answer, so they are pushing towards source port randomization to at least minimize the likelihood that the DNS cache will be poisoned via a Kaminsky attack.

Part of the luxury of not being a real technical guy is that I tend to look at the problem in an unconventional way. I suspect (but don't know this for sure) that many others are trying to solve the entire problem. Which I suspect is akin to boiling the ocean.

After looking at DNSSEC for a little while, clearly that is intangible for a network the scale of the Internet. The idea of digitally signing all of the requests is a good one in theory, but clearly ain't going to get there. And with the zone enumeration issue inherent to early versions of DNSSEC, folks are starting to layer band-aids and duct tape over the issues, in a feeble attempt to try to get the technology to "work."

I really doubt it's going to happen. So what's plan B?

I've also been doing a lot of research into CSRF (cross-site request forgery attacks) and I see some similarities to the Kaminsky DNS issue. Not like twin brothers. More like 3rd cousins. Basically, in both scenarios, it's not clear that you can trust the other side of the transaction, so you need to layer some more "tests" on top of the base transaction to make sure you are receiving traffic from the real McCoy.

One of the techniques to defending against CSRF is to add a token to each transaction, which would be difficult (not impossible, but difficult) to spoof and therefore would sort of validate that the other side of the transaction is legit.

Why couldn't we do this for DNS requests? I know, I know. We'd have to update all the name servers and then propagate the software through the DNS hierarchy. But that's only if we are trying to boil the ocean.

What if we only tried to boil a lake, or even a puddle and started building some of the code into our key applications (or as a proxy for our key applications)? And then we could get our trading partners (who we are doing high value transactions with) to add the same code to their applications. Thus, any traffic I'm sending to IP addresses in their environment are also "tokenized."

If a large enterprise moves in this direction, they likely have enough pull to get their ISP (or multiple ISPs as it may be) to build the code into their name servers. Then it sort of becomes a bottoms-up movement, as opposed to a top-down mandate. Top down doesn't work too well in the age of the Internet.

In terms of caveats, I have no idea if this would even work. I'm literally making this up. Or if Kaminsky would make mince-meat out of this in seconds. Or if many others have tried this and failed already.

I also don't know how complicated it would be to add this proxy layer to tokenize the DNS requests. I don't know if it will scale or if it will solve the problem. Or if the very nature of DNS requires that we boil the ocean, as opposed to the puddle.

Basically, I'm throwing some spaghetti against the wall and I figure the real smart guys out there will take a look, tell me I'm an idiot and then maybe suggest something that would be more tangible/feasible/logical, etc. It's all about fostering the discussion, since after seeing Kaminsky's pitch, sticking our heads in the sand and waiting for divine intervention to fix the problem ain't going to happen.

Photo credit: "lake (or puddle?) of free boiling mud" originally uploaded by magtravels

Black Hat 2008 Day 2: Web 2.0 mayhem

Submitted by Mike Rothman on Thu, 2008-08-07 20:14.

As you are reading this, my flight back to ATL should be climbing up through 10,000 feet on my way back home. Another year, another Black Hat, another set of things that are sure to kill us somewhere down the line, another few parties, and another frantic ride back to the airport.

Day 2 was a bit more sedate than Day 1, though that may have more to do with my hangover (that I finally chased away about 3 PM). I also skipped the keynote, though I heard it was pretty good. Here's a brief rundown of the sessions I did today.

  • Satan is on my friends list: This session went deep into some of the tricks you can use on Facebook, MySpace, and LinkedIn to make the application do unexpected things. The most interesting thing is that the attacks were shockingly simple. No wonder these social network sites are such havens for malware, leveraging XSS, CSRF and all sorts of other attack vectors. Shawn Moyer and Nathan Hamiel also ran a little experiment in adding Marcus Ranum (with his permission) to LinkedIn and added about 60 connections within a day. One of the last recommendations was to make sure you had a profile on each of the sites. Not because you plan to use it, but because you should get one out there before the bad guys do. At least the inimitable Ranum now has a profile.
  • No More Signatures: Defending Web Apps with ModProfiler: I was pretty disappointed with this session from Breach's Ivan Ristic and Ofar Shezaf. They spent the first 45 minutes explaining what a web application firewall is and some specifics about ModSecurity (the open source version). I was there to hear about ModProfiler, which is a new project focused on more effectively leveraging a positive (if it's not explicitly allowed, then it's not allowed) web application security model. They only spent maybe 30 minutes on that and didn't show the code or a demo or anything. Maybe they did in the last 15 minutes, but I left before then. You shouldn't make people wait for an hour to get to the technology mentioned in the title of the pitch.
  • Get Rich or Die Trying: Jeremiah did a great job going over quite a few scams that really leverage web technologies, kind of. Most took advantage of weaknesses in the web application, as opposed to actually security flaws. And to see some of the real simple stuff (like having press releases accessible before they hit the wire by figuring out the naming sequence), and how one woman made about $400,000 by selling merchandise that QVC shipped her even after she canceled the transaction. So, the moral of the story is that company's should probably pay their Q/A people a lot more money (or get new ones) to find this stuff before an application goes live.

And that's all she wrote. Back to a regular publishing schedule next week. Enjoy your weekend.


Black Hat 2008 Day 1: We're Screwed!

Submitted by Mike Rothman on Thu, 2008-08-07 11:39.

Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.

I ended up hitting almost all the sessions I wanted to, so let me go through some quick observations.

  •  Keynote: Ian Angell, Professor London School of Economics - Professor Angell is a pretty engaging character and I enjoy his systematic skewering of the common knowledge about risk and what we can really control. Which is basically nothing.
  • Bad Sushi: Nitesh Dhanjani and Billy Rios - As mentioned on Tuesday, I was looking forward to this session and it was a lot of fun. Especially when they pulled the RickRolling prank on the phishers and to see how many of them fell for it was great. Sometimes it's nice to strike back, although it doesn't have much of an impact on how we do things.
  • Kaminsky's DNS talk: It was packed. I mean PACKED. And Dan delivered the goods. The thing that resonated the most is how dependent we are on DNS for pretty much everything, and if DNS is not trustworthy, we've got a real problem. Lots of innovative ways to comprise stuff assuming the bad guys own DNS and plenty of other goodies. I have some larger thoughts about the DNS topic, which I'll write up for Monday, but the only conclusion you can really draw is that we're screwed. But isn't that what Black Hat is all about? Giving security folks that uneasy feeling of not being able to keep up with all the attacks?
  • Hoff's Four Horseman: The Hoff delivered the goods as well. First of all, the slides were very pretty. You should check them out. But aside from the aesthetic beauty of the content, Chris really put into question a lot of the assumptions many folks are making about securing the virtualization layer. Rich did a good write-up of Hoff's pitch and other Black Hat topics.
  • Network Monitoring, Bruce Potter: I hadn't seen Bruce speak before and it was very entertaining. But most interesting was the very compelling case he made for why you need to monitor your networks using something like Netflow. He also talked a bit about a new open source tool called Psyche that his team is releasing and it looks pretty cool. It's nice to see the idea of network monitoring being discussed on the big stage. Of course, there are folks like Bejtlich that have been beating that drum for years. But given all the other stuff we're seeing at the show this week (basically we're screwed), the idea of figuring out everything isn't going to happen. So we need to REACT FASTER and monitoring is the way to do that.

The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site.

Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are catching a little late night breakfast at Caesars. Sitting right next to us is Jeff Dye, one of the finalists on this season's Last Comic Standing. You all know what big fans of comedy the Boss and I are, so it was great to see him in person. He's a very nice guy and he really is that pretty. They are announcing the winner of the show tonight, so I told Jeff we'd be pulling for him.

Only in Vegas...

Things not so clear for CLEAR

Submitted by Mike Rothman on Tue, 2008-08-05 12:18.

Interestingly enough, I tried to register for Clear this morning on my way out to Vegas. They are rolling out the service in ATL and given the amount I fly, I figured it would be a good investment. The folks at the desk were kind enough to tell me the computer systems were down and that I'd need to come back later.

Upon arrival, I connected to via my EVDO card (no WiFi in Vegas with all the haXors around) and tried to do the online registration (so I could finish up when I get back to ATL). But the application was being upgraded. 

Actually no, the TSA has put the kibosh on Clear while they mop up the mess of a lost laptop. Thanks Breach Blog, now I know what is going on. How about that laptop encryption? I can see the commercial now:

  • Cost of laptop encryption: $100 per agent
  • Lost revenue from a data breach: $zillions
  • Reality that the TSA is putting you in the penalty box for years for violating their trust: Priceless

And for those already in the Clear. You've been pwned! Now the bad guys have your retinal scans and fingerprints. They don't even need to chop your fingers off anymore to beat the biometrics. Actually, I'm kidding, I'm not sure what data was stolen.

It never ends.


The Daily Incite - August 5, 2008

Submitted by Mike Rothman on Tue, 2008-08-05 11:27.
Today's Daily Incite

August 5, 2008 - Volume 3, #67

Good Morning:
I'm glad kids are so adaptable. Yesterday, the twins started at their 4th pre-school. In 4 years. And they are not even 5 yet. It's kind of wacky. The first was exclusively an 18-month program. It was a good program, but a 15-20 minute ride from the house, which became a drag. The second was right around the corner and was great, but didn't offer a full day program - which we needed when the twins turned 4. So last year we sent them to yet another program, and they really liked it. We figured they'd be in the same program again this year, and that was that.
No money for you!
But the best laid plans... It seems the director of the school decided (in her infinite wisdom) that it was OK to have 41 kids, split across 2 classrooms with only one teacher and two assistants. Yeah, not so much. For what I was paying for the privilege of sending my kids to the school, we deserve better than double the teacher:student ratio they get in public school.

The Boss was a teacher before the kids were born, so she realized how untenable the situation was. A lot of other parents had real reservations as well. So much that a simple meeting turned into a 2 hour bludgeoning of the Director. After a while, she relented and said she'd hire another teacher.

Cool, problem averted. Back to our regularly scheduled program. But I have taught the Boss well, and she immediately went into contingency planning. What if they don't get another teacher? What do we do then? Well, the Boss didn't leave anything to chance. She scouted about another (well regarded) school in the area. So when we heard the Director had "changed her mind" and wasn't hiring another teacher - it was right down to the other school to get our kids a spot.

We decided to vote with our wallets. We knew going back to the Director was going to be fruitless. So we didn't even bother. We didn't complain about it, we took action. Too many folks just accept their lot in life, with nary a whimper. That ain't me or the Boss. If we don't like it, we change it. It's as simple as that.

Thus, the 4th school in 4 years. The boy cried a bit today, but he'll be fine. He's not as good with change as the others. It's a great program and they will be super ready for kindergarten next year. This new school has up to 36 kids in the class, but 3 REAL teachers. The kids are broken up into 3 groups, and no more than 2 groups are ever in the class at any one time. There is a school store (where the kids can practice) and it's very rigorous from an academic standpoint.

We aren't those crazy parents that are trying to push the kids ahead. Drilling them in multiplication tables before they are even in kindergarten. Yes, there are parents that do that. We have them in a full-day program so the Boss can work. But while they are there, they may as well get a good education. 

Have a great day. 

PS: I'll be at Black Hat this week. Check out my thoughts on the show.

Photo: "Empty" originally uploaded by -Mandie-

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today


Security Mike's Guide to Internet Security

Top Security News

Penny wise and pound foolish - laptop encryption style
So what? - Andreas from Nemertes (run by my former colleague and all around brain surgeon Johna Johnson) makes an impassioned plea for laptop encryption in his recent NetworkWorld column. His main point is that there really is no excuse not to encrypt the laptops. Given the reality that a bunch of devices will be lost, quite a few stolen, and still others compromised due to the general idiocy of the owners, why not do it? Especially given the availability of "free" open source solutions like TrueCrypt. This is where he loses me. I'll admit to not having played around with TrueCrypt (Apple's FileVault works fine for me), but the idea of any mid-market or enterprise technology manager rolling out open source technology to the masses scares the hell out of me. And not for why you'd think. The technology is more than likely solid. It's the manageability that I worry about. Does TrueCrypt come with a management console to deploy the software to 100 devices, or 1,000 devices, or 10,0000, or 100,000? Does it handle exceptions and create a failsafe so the CEO can access his/her laptop when they forget the password and not require you to FedEx a recovery disk to them. Can it recover if they lose the tip of their index finger in a freak private plane accident and can't use the fingerprint reader? If the answer is yes, then I'm cool. If it's no, I'd point technology managers to not forget that whatever they deploy - they actually have to manage.
Link to this

Vista is more secure the XP - uh huh!
So what? - Since I'm looking forward to seeing Jeff Jones and some other Microsoftians at this week's Black Hat conference, I'll just take a moment to poke fun at this continuing myth that one operating system is more secure than another. It's like saying one gun is more deadly than another. The folks that watch Microsoft continue to perpetuate this fallacy. Of course, based on Microsoft's own subjective assessment of the patches "criticality." The reality of the situation is that it doesn't matter which operating system is "more secure." In the hands of a stupid user, either of the operating systems is a deadly weapon. I understand that the Microsoft watchers have a vested interest in making sure Microsoft sells more Microsoft stuff, so they have more actions at Microsoft to watch and write about, but still. The fact is Microsoft makes it hard to continue using XP. It's hard to buy. You should have seen the hoops my father-in-law had to jump through to get XP on his new laptop (since I couldn't in good conscience tell him to actually use Vista). Within a few years it will be hard to get support on XP. So Vista is the future, whether we like it or not. And whether it's secure or not is besides the point. How many bugs each one has is also besides the point. Everything is vulnerable (even my beloved Mac) and we need to plan for those eventualities. But tracking this stuff is certainly an interesting use case for Excel.
Link to this

The world remains neither black nor white
So what? - I'm not known for my love of gray. In fact I hate it. If I could reduce every decision to a clear, black or white, left or right, up or down analysis - I'd be a happy guy. Of course, the world isn't like that, since without black there can be no white. Without up? That's right, no down. OK, enough of abstract philosophy. I'm reminded of these issues when I see the whitelisting vs. blacklisting argument resurface. It's like when I saw Andy Jaquith go through his provocative "AV sucks" pitch at Source Boston earlier this year. Of course, Andy was poking fun at the AV engine that drives security, but he only told one half of the story. His story is about the inabilities of the blacklist (signature-matching) techniques to scale to keep up with the new attacks. On that point he's exactly right. That's where whitelisting comes in and pretty much every big AV product has some kind of whitelisting capabilities. Some more formal than others, some that try to get you to pay extra for it. But it's all the same. You need the black list to make sure you don't make the same mistake twice. You need a white list to allow the things you know need to be allowed. And you also need some kind of "gray list," which more heavily scrutinizes the stuff not on either the white list or the black list to make sure it doesn't kill you. But religion continues to drive page views, so I figure we'll continue having more of the same for a long time to come.
Link to this

The Laundry List

  1. OK firefighters, you can go home now. It seems FIRE has extinguished the burning embers of their first two quarters as a public company. They should send a thank you note to the outgoing US Federal regime, who is evidently set on helping lots of security companies make their quarters. - Sourcefire earnings release
  2. Core introduces a pen tester "lite" version of Impact, called Impact Essential at a cheaper price point. This is good stuff, since the more folks that learn to "hack themselves," the better. - Core Security release
  3. Talk about weird timing. Two companies emerging from the rubble of CipherTrust attack the same market, web security in the cloud. Jay Chaudhry's is Zscaler, the other group is Purewire. Which came first, the cart or the horse? - 451 Group blog
  4. Everyone jumps on the PCI bandwagon. Even an application configuration management play called mValent. If it wasn't so sad, I'd actually laugh a bit. - mValent release

Top Blog Postings

More numerical idiocy
First of all, hats off to Dancho for using Count von Count's picture in a blog post. The Count is by far my favorite Sesame Street character. Actually, the highlight of a recent Orlando trip with the kids was getting a picture with the Count himself, all the way in from Transylvania. But I digress. Dancho skewers the recent one-upsmanship from the AV vendors about who has more thingys to detect other thingys. His point is that none of this matters because today's brand of malware is sufficiently evolved to actually morph and obscure on the fly. So how many you have doesn't really matter, as long as you have the one the script kiddie is using against you right now. Or have some kind of white/black/gray list approach (as mentioned above), or better yet - just wait in your office for someone to do something stupid, then you clean up the mess. Which is what we normally have to do anyway, right?
Link to this

I'm too disillusioned to CAER
Actually I'm not, but it was a nice play on words based upon the latest wisdom to emerge from the Tao Master himself. Bejtlich introduces a new acronym (since we haven't had a new acronym in a while, sorry Rich ADMP doesn't cut it) that really sums up the operational roles of the security professional pretty effectively. Collection, Analysis, Escalation, and Resolution are what CAER represent and there is a lot of logic here. Especially as Richard laments the fact that most folks just collect data and don't really do much with it. Besides maybe generate some reports for an auditor every six months or so. They figure the audit is the end goal, not a checkpoint on the way to figure out if you've wandered off the reservation. Another point also rings true: "the goal of every mature security operation is to reduce the mean time to resolution." Ain't that the truth! Unfortunately it's not clear to me what most security professionals believe the goal is. They generate some great reports about how quickly they patch and what wonderful AV coverage they have on the devices. Bah humbug. Maybe set about trying to CAER a bit more for the rest of the year. Everyone will appreciate you efforts. 
Link to this

Your demo still sucks
Doing what I do, I'm subjected to a lot of demos. Though I try my best to get out it them. I'll use all sorts of excuses. Like the dog ate my Internet router (I don't have a dog). Or your WebEx works like crap on my Mac (it works good enough). Or my coffee shop blocks access to your crummy demo (actually I could surf pr0n there if I wanted to). Despite my best efforts the demos still suck. Why? Because most demos still focus on what the product DOES, not what PROBLEM IT SOLVES. If you have anything to do with demos, please read Mitchell's rants on doing demos, and listen. Do scenarios. Help the prospect (or analyst) understand how your tool is going to impact their job. Make the issues real for them. What can they do better with your stuff, saving them time or money or protecting information more effectively? And I love the idea of packaged demos. Even if you (or your best SE) are great at doing the demo, I'm sure other folks in field suck. So take the variability of crappy Internet connections and the like out of the equation. A recorded demo also makes sure your folks stay on point and highlight the issues/problems/capabilities that really matter. Not what the product manager thinks is a cool feature or a nicely colored box.
Link to this

Black Hat 2008 Preview: Paranoia and Learning

Submitted by Mike Rothman on Tue, 2008-08-05 06:51.

Hard to believe, it's time for another Black Hat conference. This is my third, and as I sit in the airport waiting to head out to Vegas, I'm eagerly anticipating the show. For lots of reasons, but mostly because it's the only show I attend to actually learn something. It's not like RSA or CSI are big on "education." I certainly know that I don't know it all, but Black Hat is a place where I can hang out with guys a lot smarter than me. And that's a good thing.

Even if the show has gotten a bit corporate. 

As others have mentioned, Black Hat/DEFCON are not the places to be careless about your computer security. Now that BH is doing the Wall of Sheep as well, no one is safe. I was at Rob Graham's session last year where he pulled up some poor saps Gmail through his sidejacking attack. That ain't going to be me.

So what do I do? WiFi is OFF. Period. Until I get back to ATL on Friday, WiFi is off. I'll just rely on my Verizon card for the few times I'm in my room and connected. I don't carry my laptop at the show, rather relying on good old fashion paper and pen to take notes. I may do a quick post or two from my iPhone (3G, I upgraded over the weekend), but for the most part I'll be mostly disconnected.

Speaking of my iPhone, WiFi is off on that as well. I'm also turning off Bluetooth. That means I'll be the silly one with the wired headset. But I'm not sure what new attacks have emerged, so I'll suffer the wired life for a few days. I'm also turning off the GPS. It's not like I'm going to get lost in Vegas, and again although I haven't heard of specific GPS attacks, why risk it?

Yes, clearly it's paranoia in full effect. But better to be safe (if a bit disconnected) than sorry. That's for sure.

In terms of sessions, a few caught my eye:

  1. Bad Sushi: Beating Phishers at their Own Game (Wednesday, 10 AM): I'm going to see my friend Nitesh Dhanjani and Billy Rios do their anti-phishing talk. Clearly there are both process and technical defenses against the phishermen.
  2. DNS Goodness (Wednesday, 11:15) - Obviously Kaminsky's session is going to be a circus. They should probably move it into the keynote room to accomodate everyone. Not sure I want to fight the masses to attend, but I'm sure it will be interesting.
  3. The Four Horsement of the Virtualization Security Apocolypse (Wednesday, 1:45) - I've got to be there to support my boy Hoff and I'm actually interested in how he's evolved his pitch. I also heard (from the horses mouth) that the slides are real pretty, so I'll probably take a few presentation pointers from the Rational one.
  4. Malware Detection through Network Flow Analysis (Wednesday, 3:15) - Since part of my schtick is REACT FASTER, Bruce Potter will be previewing a new version of his flow analysis tool, and that may fit the bill. Lord knows a lot of the NBA tools are way to heavy and high end for the mass market, so an open source alternative could be interesting.
  5. Exploiting Google Gadgets (Wednesday, 3:15) - I'll also try to swing by RSnake's pitch, where he and Tom Stracener will be exploiting Google Toolbar and discussing a zero day. Woo Hoo.
  6. Satan is on my Friends list (Thursday, 10) - I'm fascinated with this social networking thing and figuring out how to exploit it is pretty interesting. There is a lot of cutting edge research happening around this area.
  7. No More Signatures: Defending Web Applications from Zero Day Attacks (Thursday, 11:15) - Yes, I plan to go see Sir Ivan and Ofar Shezaf discuss how profiling traffic can help defend web apps. This sounds like a positive security model and I think that's a pretty important aspect of defending the web apps.
  8. Get Rich or Die Trying (Thursday, 3:15) - I'm also going to see Jeremiah do his logic flaws pitch. These are very interesting attack vectors and I'm looking forward to seeing how Jeremiah and Arian go through an pwn applications via the developers own mistakes.

I'm sure there are others, or maybe not. I tend to like to keep my schedule pretty fluid at Black Hat. I'll be hitting the party scene as well, so I hope to see at least some of you in Vegas.

Safe Travels.

Revisiting Big is the New Small

Submitted by Mike Rothman on Mon, 2008-08-04 08:27.

It's been quite a while since I penned the original "Big is the New Small" piece back in February of 2006. Obviously a lot has changed and happened in the security space since then. So I figure on the first Monday in August, I'd revisit that position and figure out if it was still relevant.

To refresh everyone's memory, Big is the New Small was the moniker I came up with to describe why consolidation was happening in security and why it was going to continue. Customers were increasingly fed up with the idea of having to manage multiple products from multiple vendors to handle mature, somewhat commodity functions. And all things being equal, they want to buy these solutions from "Big Security," the large publicly held companies that have staying power.

Much of this has come to pass. The Big have gotten bigger by continuing to acquire technologies to fill out their product families. Large companies have always acquired smaller companies, that's nothing new. And the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

These ideas also are NOT an indictment of innovation, as many of the small vendors called it. It was a pragmatic view of how the industry is working now. Some choose to fight it, until Big Security swings by with a bag of money. Then they get religion pretty quickly. But even that isn't the point.

The point is that over the last 2 years, customers are looking for security that is "good enough." The main issue is that without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Since security remains an expense and an overhead item, the natural inclination is to minimize cost, and that means to buy solutions that aren't the most expensive, but meet the needs in the most cost effective mechanism. That's this entire drive to doing security in the cloud. Since it's good enough, we may as well have someone else deal with it.

By no means am I saying that our protection is good enough, it's not. But I don't think it's because we have a lack of tools or knowledge. We collectively suck at protecting information not because we don't know what to do. We suck because we just don't do it. If we would actually use half the crap we've bought, and build a strong and credible security program - things would be a lot better.

Not perfect, but better.

But we don't, so it's not. Thus, good enough is here to stay. And as long as good enough is the primary criteria for most product/service purchases, it favors Big Security. They aren't much, but they are usually good enough.

Photo credit: "Good enough" originally uploaded by russelldavies

Deal: McAfee acquires Reconnex

Submitted by Mike Rothman on Fri, 2008-08-01 08:52.

As predicted, the DLP market continues to consolidate on it's way to eventually disappearing. McAfee announced as part of their earnings release that they are acquiring Reconnex for $46 million in cash. This is a good deal for McAfee for lots of reasons. I don't think they are going be "redefining the data protection market" as stated in their press release - but there are positives.Get your DLP at the Cheap Store

  1. All the cool kids have one - McAfee needed to bolster their DLP position because their benchmarks, Symantec, Trend, EMC/RSA, and Websense, already acquired assets in this space. They also realized the endpoint centric product they've brought to market (based on the Onigma acquisition) wasn't going to get them there. Reconnex is one of the last independents standing, so it's not a surprise they got taken out.

  2. DLP is a feature - As I've mentioned, DLP is not a market category that is going to stand alone. These capabilities need to be built into bigger security, and eventually general IT infrastructure. McAfee now has some more technology to foster that kind of integration and value add.

Of course, all that glitters is never gold, so there are some things to watch for, especially around channel mismatch. McAfee doesn't really have a high end services/implementation business to drive big DLP implementations. And their channel tends to focus more on mid-sized companies. Sure they do some big deals (around endpoint security and some IPS), but there could be a bit of an impedance mismatch when the reality of DLP deployment cycles sets in.

How about that price?

But any potential issues with the deal are offset by the price. $46 million in cash. Wow! That is really a fire sale price for a company with seemingly a lot of momentum. I guess seemingly is with a capital SEEMINGLY.

Reconnex had raised $37 million in VC funding. So the VCs get their money out, the management team (mostly executives) maybe gets a little carve out, and the rank and file get screwed. Of course, that is speculation on my part, but having seen enough of these deals - I'm probably not too far off.

This is just yet another example of the reality that you cannot believe all your read. Check out the momentum release from TWO WEEKS ago. If you take the words on the surface, things are going great. Lots of growth, named a leader in that quadrant thingy, yada yada. The print isn't even dry on that release and they sell for not much more than DeWalt's expense account.

I'm sure there is some kind of back story here, and I'm sure it's not real pretty. But at the end of the day, they got a deal done. Bully for them. And once again, McAfee shows it's one of the shrewdest buyers in the space. They won't have to turn many Reconnex lemons into lemonade to make the deal pay big time.

Photo credit: "Cheap Store" originally uploaded by ZannaLyon

The Daily Incite - July 31, 2008

Submitted by Mike Rothman on Thu, 2008-07-31 09:00.
Today's Daily Incite

July 31, 2008 - Volume 3, #66

Good Morning:
I have to admit, the Internet has made me nicer. Now, I wouldn't go around saying I'm like nice or anything. But understanding how the blogosphere works and the fact that Google never forgets (it truly has photographic memory) makes me a nicer person.
Have a nice day!
Since most of the folks that know me well wouldn't say that "nice" is one of the ways they'd describe me, I'll provide some context. A while back the Mogull was complaining about those sploggers that steal syndicated feeds and put up web sites that sell ads around someone else's content. He even ran a pretty funny experiment to see if they pay any attention to what shows up in the feeds. It's a deplorable practice, but it also must be working because I see another one of these sites (stealing my content) popping up weekly.

There are lots of different opinions about how to deal with this. I've chosen to not allow my feed to be syndicated without permission. It's my content and that's what I decided to do. Basically I ask (nicely I might add) for the content thief to stop syndicating my content. Most of the time these folks don't have an email address on the site (though I'm sure they have a place to deliver the AdSense commissions), so I'll leave a comment. Failing that, I lodge a complaint through FeedBurner and within a month or so that usually takes care of it.

Though I did get a pretty nasty response back from one of the webmasters, saying no one has ever asked to be removed from his site before and basically implying that I'm some kind of idiot. Didn't I know that it's very expensive to run a site that steals other people's content? How dare I question his ability to monetize my work (which I've chosen not to monetize).

Before the blogosphere, the "old" Mike would have ripped this guy apart. I would have sent one of my patented nasty-grams (anyone that has worked with me for any length of time has probably experienced it) and that would be that. But I didn't send a nasty-gram. In fact, I sent a very cordial response back saying it was a personal decision and thanked him for doing such great work to aggregate some much great content. Yes, I blew some smoke into his backside.

Huh? Have I become some kind of wimpy, sniveling lame butt? I guess if I'm being candid, sort of. I'm just very sensitive to the "TechCrunch" effect. Basically, if I sent a nasty-gram and told this guy what I really thought of him and how he's a drag on society and adds no redeeming value. That his parents should be ashamed of him and that if he had any kind of original thought or brain activity he would publish his own stuff, instead of stealing mine. But I didn't because I figured he would turn around and post it in a high profile place. And then I'd be the one that looked like a schmuck.

So there you have it, now I'm a nicer guy because I know when I'm not, it'll show up on some web site and make me look like an ass. I guess it's kind of a deterrent in that sense. To be clear, I'm not any nicer, I just understand that venom and vitriol should be delivered in ways that cannot be cut and pasted onto TechCrunch.

Have a great weekend. 

PS: If you didn't see, the P-CSO was reviewed on Slashdot. Woo Hoo.

Photo: "Smiley face cookie" originally uploaded by devillibrarian

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today


Security Mike's Guide to Internet Security

Top Security News

Is there are "secure enough?"
So what? - I tend to say "good enough" at least a couple of times a day. I believe that given the opportunity, we'd hit the point of diminishing returns in security pretty frequently. Fact is, most of us don't get the resources or funding that we need to hit that point, but ultimately we need to get comfortable with the concept of "good enough." Until someone figures out how to turn security from overhead into revenue generation (and Ken, don't send me that friggin' white paper again :-), we'll still be in the same boat. Jai Vijayan does a little analysis of "secure enough" and it brings up some interesting points. Many of which are echoed in the P-CSO methodology. You know, figure out how secure you can/should be. Then understand "asset value," but personally I don't care about true value - but rather RELATIVE value. I'm trying to figure out what the most important assets are to protect. Then I need to implement a control framework (though that it much easier said than done). Check. Then measure and monitor. I think monitoring is critical, measurement is a nice to have. Not that it's not important to pull metrics, I just think there are a lot of things that can be measured that shouldn't. And the industry hasn't gotten any sense of agreement on what those things (to measure) should be. Overall this is a good article because it factors in the reality that we aren't going to get everything done and we need a structure to make sure that good enough is really good enough.  
Link to this

I want to get out of that little car
So what? - Looks like Linus Torvalds (yes, the Linux dude) is aiming some of his angst (maybe about creating a bunch of multi-billion dollar revenue streams and not getting dick out of it) towards the "security circus." If this is a circus, I want to be one of the clowns that gets out of the little car. That looks like fun. It's easy for someone who just sits in an ivory tower and worrys about kernel issues to be very critical of how security researchers choose to promote themselves. In fact, I do that all the time. I don't worry about kernel issues, but certainly spend a good part of every day in my own little ivory tower. The point Linus is trying to make is that security is sensationalized and it's a problem. Unfortunately, he thinks that taking a middle of the road approach of not pandering to either the no or full disclosure ranks is the right path. Unfortunately that doesn't work either and can be more dangerous than anything else. Ask Dan Kaminsky about that. I'm still of the opinion that it's either all or nothing. Either don't disclose at all, and work with the vendors in the background - hoping that the bad guys don't have the attack. Or disclose IT ALL and get the good guys making tools to hopefully stay ahead of the bad guys. Both ways kind of suck, but at the end of the day this is the bed we made (crappy code with no thought to security) - so now we get to sleep in it.
Link to this

And the benefits are great...
So what? - The grass is always greener on the other side. Fact is, if you work in the security business, odd are the grass looks like crap wherever it is you squat. It seems the vendor security researchers are a little steamed that independents get all the attention for finding the "cool" security bugs. Just because they don't have anything better to do, the X-Force ran some numbers to prove that it's really the vendor researchers that find 80% of the "critical" bugs. Talk about needing a hug. Would someone in Armonk please fly down to Atlanta and tell the X-Force guys that you still love them. That someone in a blue suit actually gives a crap about what they find. Or maybe this is a recruiting technique. Join the X-Force and find the important stuff. That's much better than going the independent route and becoming infamous and filling up your Black Hat talk. All kidding aside, it just seems ridiculous to me that anyone would be spending any time to figure out who was "more right." The bad guys are finding new stuff all day, I suggest the researchers (whether they are independents or vendors) get back to work.
Link to this

The Laundry List

  1. HD was not pwned, just misquoted and had the unfortunate luck of actually using AT&T for Internet connectivity. Yes, the fact that his company was impacted by his exploit code is ironic, but the mischaracterization in the media is irresponsible. - Metasploit blog
  2. Deal: Aladdin uses one of their wishes (and $65 million) to buy SafeWord from SCUR. Good for SCUR to focus on their gateway business. Good luck to Aladdin, I hear it's easy to compete with RSA and $5 tokens from everyone else. - Aladdin release
  3. Georgia boy hacks into his school. Must be taking the Mitnick approach to fame and fortune. Hack a bit, add KY and then write a book. Publishers line up, the book should be ready in about 2015. - NetworkWorld coverage
  4. Is Big Yellow rebounding? They announce a good FQ1. Evidently executing less than "sucky" actually works. And someone should be measuring Enrique's head for the crown. - Symantec earnings release
  5. Lots of other earnings news as well. SonicWall does OK. Zix also announces (why are these guys still public?), and Entrust shows that they still can't hit the top line number. All three mention the "challenging business environment." I guess that's a code word for "give me a pass, it's brutal out there."

Top Blog Postings

I'll take one defeat and despair to go...
It's fact that you have to have a certain type of personality to be a security professional. Paranoia is critical, since the really are trying to get us at all times. But there is a downside to being able to focus on negative use cases all day long, every day. Basically we become grumpy and prone to despair. Amrit tries to provide some context around the fact that "This too shall pass" is a good way to look at things. A mentor of mine would constantly remind me that it was a marathon, not a sprint. We need to play for the long term, even though many of the incentive plans (both positive and negative incentives) are all about short term actions and thinking. Amrit believes that the good guys have a lot going for us and that we actually have an "advantage." Part of this is trying to make lemonade out of a bunch of crap, but he does have some good points. Yet the net is the world is a resilient place. Every time you get backed up against the ropes, the collective we finds a way out of it. Yes, it's hard to keep that context in the morass of daily firefighting and the like, but it's true. The sun will rise tomorrow, just like it has for a billion years. Until it doesn't and then we probably have bigger problems to worry about.
Link to this

If that's the wrong problem, what's the right problem?
Sir Ivan makes a great point here about the real root cause of our security issues. "Underneath all our security issues lies our inability to write defect-free code. Solve that and we've solved the security issues. Focus on the security alone and we won't solve anything." I agree with the sentiment, but can't for the life of me figure out how we'd get there. Food for thought over the weekend. 
Link to this

"Perfect" measurement? Give up now.
Perfect is the enemy of the good. So when I see the title of this post on BlogInfoSec "Crossing the Metrics Rubicon: Quest for the Perfect Measurement" I turn my nose up and figure it's yet another highly theoretical idea about what should be counted and why. But to Patrick Foley's credit, this isn't that post. It's really about the fact that we have a lot more data now, but no one has figured out how to turn it into information. Most interestingly, he points to some securities trading and insurance models that could be instructive in what we have to do. But there will always be problems with models, since they can't predict what we don't know. And it seems every attack that has ever made a big wave was NOT predicted by the people that are supposed to be predicting. So I don't want data to help me predict what is at risk. I want data to help me understand whether I'm working efficiently. I'm starting to come to the conclusion that you can't necessarily come up with a number to represent "risk," but you can count and measure efficiency of the "right" stuff that we know needs to happen. I'm kind of throwing some crap against the wall here, but my utter frustration relative to almost all things metrics is forcing me to look at the problem from a very different perspective.
Link to this