I saw the opening salvo on Twitter that caused the blog post, “You Know What’s Dead? Security…” from Chris Hoff, and he ended up penning a really good read.

I don’t think it is worth much to talk about “winning” or “losing,” ultimately. Security and insecurity are eternally linked to each other. This is maybe the first time where I like Hoff’s blog name: Rational Survivability. It’s really about surviving in an acceptable state, or rather, simply not losing. But there’s no real win going on, and it might be too much to expect a win at any time.

I do think Hoff got a little sidetracked on the commentary on the security industry. I’ll agree, in part, that the security industry isn’t making solutions that are aligned properly. But I’ll go on to say I’m not sure how a “product” of any type will ever truly be aligned enough to feel good about. These are just tools, and none will magically make someone think we’re winning, in whatever context of the word or feeling. If anything, the security industry has a problem in trying to make their tools sound like they solve the world… There’s also just a certain bit of irony stuck in there somewhere that Hoff typically pens about “cloud” stuff… 🙂

If I may dig further, I also dislike the thought of “innovation” in security. Security is a reactionary concept. It reacts to other innovations with attackers, or innovations in the things security is securing, for instance new technology or assets. That may not always happen in practice, but then again some activity just doesn’t end up being rational.

Adam over at the New School of Information Security posted a good read: “How’s that secrecy working out?”. We have a lot of people all happily about how the government is talking about information sharing. The elephant back in the corner is: When you involve the government, they want you to share with them, but they won’t share with others and you can’t share with others either. Essentially, it doesn’t do any of us in the private area any good; in fact it makes things worse since it ties even more hands and causes people to pussy-foot around issues and details.

…because we (writ broadly) prevent ourselves from learning. We intentionally block feedback loops from developing.

One of the better posts I’ve read this year.

Gotta link to Robert Graham again over at ErrataSec for the piece: “The Ruby/GitHub hack: translated”. There’s too many good points to pass it up.

1. This is a great example of irresponsible disclosure in action. By attacking GitHub, not only is GitHub now less vulnerable, but more people (hopefully developers and security auditors) are aware of this problem. Sure, more awareness of the problem may mean more people use it against vulnerable sites, but the flaw was still in those sites. Vuln is present, but risk has gone up a bit…

2. The problem is inherent in the feature set that makes Ruby of Rails a boon to developers. Pretty much a great example of a design flaw that has benefits, but also has risk. Usability vs security.

3. It also means a flaw in one tool affects everything/everyone that uses that tool. GitHub was hacked as a reaction to Ruby on Rails rejecting the bug, GitHub’s choice to use that platform, and their lack of securing (understanding?) a hole.

4. Putting the onus on site owners to blacklist and even understand the issues is probably not the right way to do things. I guess it’s a way to go, but it certainly makes me make a disgust facial expression.

Robert Graham has a nice addition to the discussion about Sabu/Lulzsec: “Notes on Sabu arrest”. Maintaining anonymity online is hard. In the (increasingly distant) past I ruminated about staying anonymous online (1, 2, 3, 4). It’s hard, takes a lot of work, and you need to maintain absolute vigilance so you don’t screw up even once. I should really update and add to that series, especially in light of smartphones, GPS, web tracking giants…

Via the LiquidMatrix article, “Sabu Rats Out Lulzsec “, I got over to the article on FOX, “EXCLUSIVE: Infamous international hacking group LulzSec brought down by own leader”.

This succinctly illustrates one of the biggest tools that anyone has against criminals: the lack of trust amongst criminals, and their fear of justice system punishments. Clearly this requires there to be laws, and the pursuit of them, but ultimately a criminal always needs to be looking over their shoulder and being distrustful of their peers.

Even the increased level of anonymity the Internet provides is not always enough to keep social* criminals safe.

* Or those that can’t stand on their own. In other words, if you have stolen goods, you still need to sell it to someone/somewhere, or have contacts to do SpecializedTaskB or whathaveyou.

It’s nice to see useful articles about digital security and privacy starting to grace major media these days. I especially liked this one found around the front page of CNN.com this evening: How to prepare for Google’s privacy changes. I like the steps it shares at the bottom. And I really like this statement:

Google points out that the products won’t be collecting any more data about users than they were before. And, in fairness, the company has gone out of its way to prominently announce the product across all of its platforms for weeks.

In other words: “You mindless sheep, finally you’re going to get pissed about privacy issues that were already flippin’ there!”

As I like to say, if your business model suffers when you have to reveal it to your customers, because of how they react, you need to sit back and do some soul-searching. Be up front about it and let consumers decide if its worth it. Don’t just try to see what you can get away with, whether intentional or by feigned naivety.

It’s been a year, but you can read some more about RSA’s woes last year from an article/interview with Art Coviello, Executive Chairman, RSA who is giving a keynote sometime around now over at the RSA conference.

I’m personally not sure I’m buying the part of the attacker not getting entirely what they wanted, or the parts about replacing tokens just because of the perception of lost faith from customers, and not because some secret sauce was stolen, putting customers at risk. I think this is continued smoke and capitalizes on the continued lack of actual detail on what was taken, which RSA has done since day 1. And covered up misdirected a bit by saying that people still buy their solution and they still sell them. In my guess, they changed the wrong things they were doing (keeping a seed list), which makes this true, but not relevant to the breach/response.

Misdirection…clearly I’ve been watching too many magic-related stuff online these days (I have!). Something involving Reddit questions with Penn & Teller on YouTube and reading an article some months ago about Teller and a little red ball trick… (Side note: I love how the Internet can stoke these almost childlike moments of learning and interest so efficiently.)

…Silicon Valley once was home to scientists and engineers — people who wanted to build things. Then it became a casino. Now it is being turned into a silicon cesspool, an upside-down world filled with spammers, liars, flippers, privacy invaders, information stealers — and their grubby cadre of paid apologists and pygmy hangers-on.

Pieces like this* (Hit men, click whores, and paid apologists: Welcome to the Silicon Cesspool) remind me why I always have this inexplicable bad taste in my mouth when thinking about tech journalists, “online influencers,” and other people who don’t seem to *create* or *do* anything other than chase page views, which itself doesn’t seem like a viable long-term business strategy to me. (Evidenced by the utter lack of ads on my own site.) In a sort of subtle (maybe too subtle for the people in mind) switch, I much prefer those people who chase content, and the page-views just become incidental, and never eclipses the content.

(To pile onto things, I also hate articles like this: Apple PR’s dirty little secret. The situation pisses me off, but I also get pissed at the tech author who thinks way too highly of himself and whines in the article itself. Get over yourself and shut up.)

This is the sort of thing that really rocked Digg, or maybe didn’t rock it directly, but it does contribute to various levels of lack of trust: transparency and conflict of interest. I don’t like having to piece together for myself a conflict of interest, since that will absolutely destroy credibility in my eyes. At the very least, be up front about it, about your processes, and if you do sell spots on the front page or otherwise artificially adjust whatever, at least say so. I know Google’s first few hits are paid placements, but they don’t hide it either (well, not ENTIRELY anyway…they certainly do try to camoflage it…)

When I read a magazine and I can’t tell if a page is an ad or not, I feel upset and distrustful of both the magazine but mostly the product on that page. I really hate having to see the word, “paid advertisement” on the top in order to tell, but at least they mags do that much!

Don’t get me wrong, mags plug shit in their normal articles as favors or whatever all the time. Yeah, information security and tech magazines know this very well! Just like Congressmen introduce bills for lobbyists, just like I may gloss over a few negative traits to get a casual friend a job interview in my company, etc. This happens, but that doesn’t mean I really like it. I just tend to try not to internalize and agonize over fights that can’t be won, ya know?

Anyway, the point is I have never liked the whole “online influencers” problem. It’s a greed play for money via pageviews, rather than driven by the love of the content (or ego play to compensate for poor self-image that drove them online in the first place). And because I don’t like this sort of stuff, it’s sort of why I don’t think things like these are viable business models (or personal mental health models) in the long run, even though they are lucrative in the short run and are threatening to destroy things in their wake (traditional journalism, content-driven but under-funded ‘little guys,’ etc).

Hell, you can even chase non-monetary popularity if you want. Just don’t be a whore.

One of the absolutely beautiful underlying concepts of the Internet is the playing field where someone can share something of quality, and you and I can find it. Where we’re not just bound by physical limitations or horizon limitations where I can just look up more on it and verify information and such. It’s not just information served to my eyeballs, but interactive and, at its best, a give and take situation that enriches lives in a wholesome way.

(Oh, and I believe ripping away anonymity won’t help.)

This is strange. I’m being pessimistic and ranty about having an idealist slant on something? Anyway, End Rant! 🙂

* I already don’t recall where I got linked to this article…

I love me lists, and Tripwire dug deep to drop out a list of 25 things:* “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them”.

(* I say things because that title sucks. It’s too long for Twitter use, so it gets shortened and passed around as various other juicier-sounding things, but is still a fun read. Likewise, you’ll get halfway through the list and forget what the point was; are these myths? truths? just anecdotes? did this just get too long?)

This is a huge list and not everything is worth reconsidering, but I wanted to highlight a few things more things than I anticipated, probably because there are good lessons through the whole list. Some of these lessons could be a whole book chapter in themselves.

1: I got no errors so I’m sure the backup is valid – Test and verify. You’re taking backups? Are you sure? And do you know for sure you can restore them when you need to? Having backups is probably the most important security *and* operations function, and verifying the process works shouldn’t be done when the emergency hits. (I really, really hate when “outages” are excuses to call them half-assed [and usually woefully incomplete] disaster recovery/business continuity tests just because someone is averse to talking to the business about the interruption/work that occurs during the real test.)

2: Do you really need everyone to wish you “Happy Birthday?” – I actually think I uttered an audible, “wow” when I read this. It just bears highlighting in itself.

4: Yes, a UFO is an unidentified flying object, but it’s probably an alien – Great point, yet strange enough for someone with an ear to security, I’m usually the last to assume some form of strangeness is a hack attack. I guess I’ve seen way too many “strange” things turn out to be explained via completely innocent means (or unexplained, non-security events). As I like to say about law enforcement approaches: the simplest answer is usually the correct one.

5: I don’t care. I work in information security, not physical security – I simply like the reminder that, well, fucked up shit happens in the physical world, and you really can’t predict it.

7: Let’s get the bad guys…all the bad guys – I’m not sure I liked this item; I had to read it several times and still am not sure I follow it or agree with it. I think maybe the bullet title is just awful since it doesn’t match the anecdote. Still, even small things can be a problem, as I think a few other bullet points make mention of, but yes we should prioritze and we can’t get to everything all at once.

10: We only offer secure access to our system, unless you want to use our test machine – I have to quote Wysopal because he’s right. Read another way: least-fricken-privilege. This is one of the more common issues, imo, in business: people do and get away with whatever they *can* do or get away with.

“The lesson here is not to give your users a less secure way to get something done or they will pick it and be compromised,” said Wysopal.

11: This system was secure when I bought it – As I move further into my career, I realize the hardest long-term problem I’ll face is likely just keeping up with changing technology. I’m just one job and a few years away from being grossly behind, ya know? I’m thankful I work in a progressive organization right now where we have many advanced tools and a mature IT budget and culture, but getting behind always scares me. Hell, I’m already behind on the desktop side, as I’m nowhere near as proficient at Windows Vista/7/2008 as I am everything older.

13: We’ll make it a security policy and everyone will follow it – I love both his points in this bullet: monitor (verify) and even educate your clients. For the latter, right now I’m actually having to defend an SSL certificate on a website that passes internal credentials and sensitive data to a client who doesn’t want to spend the money to purchase one. If a client asks, the account managers and salespeople aren’t going to say no! Normally I just do this, but more and more, larger corps are keeping tighter control of domain ownership…

14: Hurry up, we need to fix this problem right now! – Slow down and do it right. In the past 6 months we’ve had it pretty rough on my team, with lots of strange outages both self-inflicted or completely out of our control. I really dislike how, during an outage, a huge rush and pressure is put on to find creative ways to get things half up again. This often brings with it new challenges, issues, orphaned changes, and risk, and sometimes causes more problems than it fixes. If you have a plan, stick to it. Don’t create new plans during an issue unless you absolutely have to. And if you do, relax, think about it, and work smarter rather than faster. (Really, this cuts both ways and gets back to value/business needs, but my more recent experiences are reflected in this opinion.)

15: Yeah sure, the USB key is secure – Just a great anecdote to drive home that bad things happen and people are ultimately a constant problem.

18: I’ll just dictate security and it’ll work – I think dictating security *does* work, but not when you’re just dictating policy or procedures; only when you’re backing it up with technological controls to enforce it.

19: People are usually very thorough when filling out survey forms – I cringe. I know Bob fills out security questionnaires from prospective clients. Bob barely knows what he’s filling out. Bob also knows prospective clients barely look at the results anyway. Ultimately, what someone claims is somewhat meaningless without verifying it. I think that rings true in several of these bullets.

20: All vulnerabilities take priority over the business – Ahh, this rings of both truth I agree with, but also some of the more intense frustrating feelings that I disagree with. I think this is where you’re on the bar of a seesaw that can’t fully dip down on one side or the other. It’s hard to read this without feeling that hot/cold duality, to both agree with Gene and disagree. Honestly, I think that’s a healthy reaction to this…

21: Eventually, when I have time, I’ll encrypt that hard drive – Just another great anecdote, especially to higher-ups, that shit sometimes just happens. And when it does, it doesn’t smell like roses like ya think…

22: No one is going to screw with my unattended computer in the office – We do this in my team, and it drives home the point quite nicely. I prefer to email their immediate manager, “I’d like a pay decrease. Thanks!”

24: Wow, a cool new untested security product! – The real point in this, to me, is that you can’t just throw something out there in the name of security and expect it to just be unattended. I agree you should test, but you could spend a year testing something like an IPS, put it in, and still have a strange problem. You need to accept that security is an ever-moving balance between blocking things and allowing things, on an ever-moving landscape. It’s like balancing on a pylon from a broken dock in the beating surf.

Enjoyed this quick and entertaining article from Techdulla: “Hiring is hard.” I’ve (obviously) been the interviewed in the past, and I’ve done some of my own interviews as well (usually with my manager, sort of as the technical evaluator). It’s my opinion that interviewing for a job is an extremely stressful moment for most people, right up there with public speaking. I think we internalize way too much and stress way too much about how the other person (or audience) is thinking about us, and not enough on just presenting the content. While the content is admittedly ourselves, the judgement will come later on with a yea or nay on the job interview. Warning: This might be the introvert talking!

Interviewers can help with this process, and I think some care can be given to help ease the person being interviewed, at least just a little bit. Maybe try some informal ice-breakers or some directed conversation to get things flowing, ya know? Like talk about the company and position and yourself for a bit, rather than immediately putting the interviewed on the spot. It’s not like the employee-manager relationship is always going to be this tense, stressful, rigidly formal situation. Some might think this is a good idea because it may reveal personality traits (good or bad) that can be subdued when talking to a stranger and/or an authority figure.

It’s a whole other topic about dealing with the self-conscious issues when dealing with strangers or interviews. While I am quite an introvert and really suck with the small talk that extroverts excel at, I have gotten far better than I used to be; I think partly I’m comfortable with myself, but also realize deeper things like how such worry just doesn’t matter, and whether someone likes me or not is not a big deal in the whole scheme of things that entail my own life; some people I’m compatible with, others not really. Basically, carry a conversation, be knowledgeable about the topic at hand, listen respectfully, don’t put up false fronts, and try to be interested about the other person. Or at least learn to suppress those expressions and mannerisms that consciously or unconsciously signal to the other party that you don’t want to talk to them at all; encourage just enough to get more information and evaluate whether that cute blonde is still worth chatting with at length.

These are not just thoughts about interviewing, but rather interaction in general, from dating to meeting strangers, to small talk in the bar.

I thought about making one of my New Year’s Resolutions this year to make an effort at saying something to a stranger every day (beyond a general greeting) or some other nicety designed to challenge my introvertedness (practice, practice, practice) and improve my social skills, but decided I had enough stuff already lined up, and thought I could use some more planning on that one.

The issue of forcing accused to provide hard disk encryption passwords is a pretty interesting topic these years. I just read today over on the H about how, in certain situations, password divulgence could be protected by our Fifth Amendment (protection against self-incriminating testimony). Definitely interesting.

I’m no lawyer, but there are plenty of fun issues. For instance, what if I don’t know the password but is kept on a keyfob? Does this fall into key-and-safe issues? What about a combination safe where the combination is in your head? (Though, granted, I bet *someone* can get into that safe…) Or coded documents? Law is a greatly interesting field, but I’m also glad I didn’t go down that road of study back in the day!

RSA has never really been on even my long list of cons to attend. Too corporate; too marketing; not deep enough; too superficial; too many analysts… But Securosis has a post with advice on RSA, and I am glad for the honesty (e.g. avoid the parties, hallway track: they’re not the same beast as geekier cons) and detail. The post even mentions that there are plenty of geek things to do, such as engineers to talk to and product demos and such, which is a great point, and one that may make a trip to the RSA conference worthwhile. Someday. It’s still not in my plans!

They also have a post up with some eats recommends, which I know I always personally appreciate when I can quickly get a thumbs up or thumbs down quickly. It sucks to experience that craptastic fake chinese place first hand. (I need to be careful with my wording, lest I start making it sound as if “liking” something on a “social network” is a good thing that I should be participating in all the time. I love me first-hand opinions, but the author and content and context [e.g. poor Amazon reviews because shipping sucked] still need to be considered as opposed to a raw score…)

Via Infosecnews mailing list, I read 8 Lessons From Nortel’s 10-Year Security Breach. Let’s visit these items!

1. Don’t Treat Nortel As The Exception – This is a good item itself, but it gets smeared with the stain of having to talk about APT. As item #8 implies, don’t limit yourself to just talking about APT.

2. Keep Proving You’re Not Nortel – This follows the need to have permanent, ongoing security.

3. Create A Robust Information Security Program – A good point, but please at least mention the need for staff in addition to tools.

4. Expect Defenses To Fail – Can’t say this enough, since it never really sinks in to unwashed managerial levels.

5. Don’t Fail To Investigate Data Breaches – Fair enough, but this is also a really big cultural and political problem, not to mention an empowerment one. One thing to learn from Nortel is that even the CEO levels need to capitulate to the security team. Honestly, the IT team knows a lot about a company (and has great access), but a robust security team probably knows or could potentially know even more. Accept it and embrace it for maximum value from your staff. This is hard, though, since analysts may see lots of little things that make no sense and they have to choose which to investigate, or may spend too much time tunning things to create black holes in an effort to be more efficient, or quite simply don’t want to create more work for themselves (unethical, but that’s human nature).

6. Conduct A Thorough Forensic Analysis – The next line is better: “Likewise, don’t expect breach investigations to be cheap. But short-term savings–skimping on conducting a thorough forensic analysis after a breach, for example–can have long-term repercussions, as Nortel discovered.” Tell a CEO you’ll need his laptop for a week to do forensics on a suspected issue. His reaction will tell you everything you need to know about a company’s security culture.

7. Expect Greater Accountability – Not sure if this will create accountability or simply just be more noise that desensitizes people to insecurity. Still, look forward to more economic pressures accountability…

8. Defend Against More Than China – Good point, but I really wish they had mentioned US, domestic, or even hackers in your own backyard.

A British student has been jailed for hacking Facebook:

Scotland Yard said in a statement that the breach had occurred “over a short period of time” in April of last year. The court was told that Mangham had obtained the information after hacking into the account of a Facebook employee while the staff member was on vacation…

“This was not just a bit of harmless experimentation,” [Judge] McCreath told Mangham. “You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance.”

And what exactly happens to a large, tech-friendly corporation that allowed a single hacker to access the “very heart of the system” in what sounds like a live-or-die breach to that company? Internal reviews, probably an employee with a slapped wrist (perhaps), and nothing else that I can tell. Well…at least they found the attack (presumably).

First, go read Rafal Los’ post over at the HP blogs: Continuous patching – is it viable in the enterprise?, along with the comments. I really deeply dislike the commenting system on their platform (even moreso on my Linux desktop, let alone the damn captcha and moderation rules…), so I’ll make reactive comments here, largely because it’s a great discussion.

(Disclaimer: I’m super sensitive to downtime discussions right now, since my company is suddenly super sensitive to it, resulting in more work by my team, more after-hours work by my team, and lots of confusion on how to satisfy “no downtime” mandates with “make progress” expectations. It’s painful in the SMB world where expectations between biz and technology [and even security!] are still in a world of upheaval this decade.)

1. Hindsight is always valuable, but in too many cases with technology risk in business, we’re just going to keep bouncing between contradictory “hindsight lessons,” which result in analysis paralysis. At some point, you just need to buck up and do it and stop playing business politics about it.

2. Patching is “simple” (even though it can be easily over-thought and subjected to analysis paralysis) and everyone can put in their 2 cents, from IT geeks to the lowest users to the highest execs. Yet we can’t even begin to agree on it. Just like so many things in security, we need to stop looking for the “right” answer to the problem. It will always be different. If there was one correct answer, it would hit us all like a truck to the face and discussion would be over. That said, this discussion is still useful.

3. “Patching” in an organization isn’t just about approving patches in WSUS, or even testing them. It might also mean getting them configured in a central management tool like Altiris, or image files and the like. For my SMB, smaller more frequent patching (presumably at on-demand intervals) really sucks and would probably result in only bothering with major upgrade releases.

4. When we’re talking the web world, sure downtime may be minimized as systems are updated, but that doesn’t mean users feel all honky-dory when a “patch” changes their app layout (thanks Google Reader/Gmail, Twitter, etc…). That may not be “downtime” to managers, but may as well be downtime for users. And we may not even be talking yet about developers making constant little changes to web site code, or at least more frequent changes. It’s always fun when frequent changes are made and a problem isn’t found right away to correlate to that last update. It’s also fun when users update their own shit on their systems, leaving a business in an unpredictable desktop state.

5. What is the goal of patching? To fix bugs that my users don’t see and fix security holes that aren’t currently letting in attackers, or roll our new features that my users would like? One of those gets traction, the other does not, when management becomes sensitive to downtime.

6. I like that last comment from Chris Abramson. I dislike the part about bringing up AV signature updates (not a patch process, more of a data update), but I do like the part about baking in stability and separation so that one update doesn’t bring the host part down. And while noble, I echo the sentiments that it takes many years and many resources to even begin to do. Not something that today’s fast-moving business and technology and developers can do, or are willing to do.