Oct 21 2014

Posting other places

Published by under Blogging

I’ve been blogging for some other sources lately.  It’s interesting to be creating articles for someone other than myself, because I put more thought into it and spend more time trying to organize my thoughts and outline the article before I put virtual pen to paper.  I’m writing for IBM’s Security Intelligence blog (they’re an Akamai partner) and InfoSecurity Magazine regularly and contributing to other venues as opportunity comes up and time allows.  Blog post, articles, webinars, presentations, or just shooting the breeze about security, I do it all.

  • Don’t Track My Children – Title’s pretty self-explanatory.  I don’t want my children to be subject to constant tracking and observation just to go to school.
  • How to Present Security Topics to a Non-security Audience – I wrote this after I had the privilege of presenting at a Cloud event in Prague last month.
  • Why is “Security Intelligence” so Hard – Marketing teams call their products ‘security intelligence’, but the reality is most of the products barely rise to the level of information, let alone intelligence.  It’s a pet peeve and I feed it often.
  • Heartbleed and Shellshock: The New Norm in Vulnerabilities – I’ve been talking to a lot of my co-workers lately and we all expect there to be more vulnerabilities of this level in the near future.  On the other hand, I’ve gotten feedback from people basically stating this isn’t anything new, it’s just that the latest vulnerabilities have better PR and logos.  You have to love logos.
  • Setting a Dangerous Precedent: It’s Foreign – Where in I posit that the US and UK governments are setting a dangerous standard by saying it’s okay for them to hack foreign computers in pursuit of criminals because it lets other governments do the same.

More coming, but I thought I’d give you a wrap of my recent posts, just in case you missed them.  Am I my own link bait?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 14 2014

Wake up to a POODLE puddle

TL:DR – Disable SSL immediately.

As of this morning SSL appears to be dead or at least dying.  The POODLE vulnerability in SSL was released last night, basically revealing a vulnerability in the way that SSL v3 uses ciphers and allows an attacker to make a plain-text attack against the encrypted traffic.  This makes the third major vulnerability released on the Internet this year and is another warning that this level of vulnerability discovery may be the new shape of things to come.

I’m not going to try to explain POODLE in detail, or give you a nice logo for it.  Instead I’ll just point to the better articles on the subject, a couple of which just happen to be written by my teammates at Akamai.  I’ll add more as I find them, but this should tell you everything you need to know for now.

Update: It’s estimated that SSLv3 accounts for between 1% and 3% of all Internet traffic.

And since there’s not an official logo for it yet, I present …. The Rabid Poodle!

Rabid Poodle

Rabid Poodle

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 05 2014

Understanding Apple’s new encryption model

I understand enough about encryption to get myself in trouble, but not much more.  I can talk about it intelligently in most cases, but when we get down to the nitty gritty, bit by bit discussion of how encryption works, I want to have someone who’s really an expert explain it to me.  Which is why I’m glad that Matthew Green sat down to explain Apple’s claims of new encryption that they can’t open for law enforcement in great detail.

The Too Long; Didn’t Read (I often forget what tl;dr means) version of it is that there is a unique ID that’s hidden deep in the hardware encryption chips on your phone that software doesn’t have access to.  This UID is made part of your encryption key through complex algorithms and can’t be pulled out locally or remotely and makes for a strong encryption key that protects your encrypted data.  Do keep in mind that not all of the interesting data on your phone is encrypted, there are still nooks and crannies that can be looked at by someone with physical access to the phone.  And that some of the most interesting stuff on your phone isn’t what’s on it in many cases; it’s the list of who you’ve called, where you’ve been and the like that they can get from the carrier.  That metadata is often at least as important as what’s on your phone, and much easier to get without ever having to even see your phone.

I’m personally very glad that Apple (and Android as well) have begun encrypting phones by default.   Yes, police need to the ability to get into phones and see what people have been doing on them, but the last two years have shown that this ability has been abused for quite some time.  Various governmental officials in the US have decried the move saying they need the ability to catch pedophiles and terrorists.  Yet so far the count of cases where the information needed to catch anyone from either of those categories couldn’t be gotten by other means is still in the single digits.  At the same time the number of  lawsuits against police in the US abusing their ability to get into phones numbers in the hundreds.  Do the math and figure out for yourself if it’s worth law enforcement having easy access.

We’ll be seeing more organizations of all types moving encryption, partially to protect users and partially to defend themselves from the negative publicity being open to the police brings.  There will be a number of missteps, of poor encryption methodology and cases where people realize they can’t just get their backup from the cloud because they used serious encryption and lost the key.  There will be growing pains and there will be examples of guilty people escaping because law enforcement doesn’t have easy access to phone data.  But we need to have strong encryption to protect the privacy of average citizens who’ve done nothing more than catch the attention of the wrong person at the wrong time as well.  Our privacy is much more delicate and deserving of protection than many in power believe it is.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 25 2014

“All we need to do is …. redo everything”

Published by under General,Risk,Simple Security

I love listening to idealists.  In fact, I’d be one if it wasn’t for the crushing despair and cynicism that working in the security profession has instilled in me.  Or maybe I work in this field because the crushing despair and cynicism already existed.  In either case, I’ve lost the ability to even think “we could just fix all of our security problems if we just …”.  And when I see others saying the same thing, I have to shake my head in amusement at their naivete.  But it really makes me wonder when I see someone who’s been in security even longer than I have say those words.  Especially when it’s someone like Ivan Ristic.

Ivan is arguing in his post that all we need to do is create tools and languages that don’t allow XSS or SQL injection and the world will be a better place.  He’s right, but the very next thing is admit how unlikely this is in the real world.  Such languages and tools would be a wonder to behold, but they’d kill backwards compatibility.  If you’ve ever worked in a web server farm, you know this just isn’t going to happen.  Actually, if you’ve worked in any aspect of IT, you know that killing anything by not supporting backwards compatibility is nearly impossible.  Even if there’s only one user who’d be affected by it, the powers that be simply won’t let anyone who might give them a few cents more be left behind.

We live in a real world, however surreal it might sometimes feel.  The problems in security are big, complex and ugly.  There are simple solutions, such as what Ivan’s suggesting, but the problem with simple solutions is that they come at a high price.  We’re not going to get programming languages that don’t let developers create security holes, because sometimes that’s the easiest way for them to get their jobs done.  We might get away with it if we introduce tools that make it easier to program securely then slowly close the holes that allow for insecure coding.  But this is a solution that’s going to be decades in the making, not overnight.

There is no “All we need to do is…” in security.  It’s always more complex than it first seems.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Sep 14 2014

Limiting online time

Published by under Family,General

I limit online time.  Not for me, for my children.  Apparently I’m among a fairly prestigious group of people who do so, since many of the C-level execs in Silicon Valley also limit their children’s time with tech.  Though it looks like many of them are even stricter than I am about how much time the children get to interact with their computers.

We’ve always limited the amount of time our children can spend on the computer.  We found from an early age, they’d spend every waking moment playing games and surfing the internet if they could.  I wonder who they’re using as their role model?  When they got their first computer, one I’d rebuilt from parts of several of my older computers, we allowed them to have it in their room.  We found out quickly that was a mistake, as our youngest had taken to watching videos that contained language we didn’t want him using.  Ever.  Since then the computers have been in the computers have been in a common area where we could look over their shoulders whenever we wanted.

We have hard limits for when they’re allowed on the computer, which are probably not as strict as many of the parents mentioned in the times article.  The children often try to get around these limits by grabbing their iPhones or a tablet, but it’s made clear that these also count as time online and aren’t allowed.  We have hundreds of books, scattered around the house, and reading is always encouraged, no matter the time of day.  Now if we could only teach the youngest how to treat books with proper respect.

One thing we’re looking at changing is their use of social media.  Neither of the children have any social media accounts at all.  It’s not just that we don’t want them to have Facebook or Twitter accounts, it’s also that they’ve heard me talk about social media so much that they have decided on their own that it’s not worth it to have them.  They do have Skype accounts for keeping in touch with their friends back in the States and a few forum accounts, but these aren’t really ‘social media’ as I think of it, though maybe I’m wrong.

This might change in the near future, as our older has started expressing some curiosity towards social media and would like to experiment some.   As long as he understands his parents will be following him and watching who he interacts with, at least at first, I think we can allow him to try it.  I don’t want him to be like the guy who keeps a case of soda in his room because his parents never let him have it as a kid.  Instead we’ll let our children learn in a relatively safe environment, or at least one where we can intervene if we need to.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 08 2014

Buffer between Target and banks

Published by under PCI,Risk

We all know that Target got compromised last year, but what some of you might not know is that the banks who issued the credit cards that were compromised are suing Target.  They’re saying that because Target didn’t take sufficient measures to protect the card data the banks had to spend millions of dollars in order to re-issue every one of the cards that were compromised.  It makes sense on the surface, since the banks incurred the cost due to the insecurity of Target’s systems.  But here’s the rub: there’s no direct relationship between the issuing banks and Target.

I find it funny because this relationship is one of the things that was drilled into me from the start of my Qualified Security Assessor training.  There is a relationship between the merchant and its bank, called the acquiring bank, between the acquiring bank and the card brands, between the card brands and the issuing banks and finally between the issuing bank and the consumer.  This was done with careful thought to create a buffer between the card brands and both merchants and consumer.  As a consumer if you have an issue, you have to take it to your own issuing bank or the merchant, since you have no direct relationship with the card brand or the acquiring bank.  It’s also why the card brands have always said that they don’t issue fines to compromised merchants, it’s the merchant’s bank that have to issue the fine. The picture below illustrates this relationship and is similar to what was used to train QSA’s when I went through training.


I find a certain poetic justice in this defense being used by Target.  The card brands and the banks developed this system in part because it’s a reasonable way for transaction clearance to work, but also in large part because it gave as many parties as possible a way to distance themselves from the sins of another party.   Except the banks and card brands meant for it to be a buffer from lawsuits between them and both merchants and consumers, never thinking it would provide a buffer for the merchants as well.

I don’t claim any deep understanding of the underlying legal statutes that could affect this case, but I do see that Target’s defense could bring up any QSA that is worth his or her salt to the stand to illustrate their point.  It’s going to be much harder to establish a responsibility from Target to the issuing bank when any witness with knowledge of the Payment Card Industry Data Security Standards is going to have to say, under oath, that they had been trained from the first day that there’s no relationship between the two entities.  On the other hand, if the buffer is dismantled legally, it also opens a venue for merchants to sue the card brands, so either way the banks are going to be losers in this battle.  Well played, Target, well played.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 07 2014

Is pay rising with demand in security?

If you follow me on twitter, you know I like to throw out questions occasionally just to stir things up.  On Friday I asked the following question about jobs in the security realm:

We keep hearing about how desperate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?

This hit a nerve with quite a few people, many of who mentioned that besides having low salaries for the apparent demand, we also see low stature in the company and that while there’s a demand, companies still don’t see how paying a security professional leads to profit.  The conversations on twitter led to an interesting side road about how newcomers to the field are expecting huge salaries without having any experience at all.  But the most comprehensive response came from John Wood, who wrote a whole blog post about it rather than responding 140 characters at a time.

John sees the reasons as being a) the company doesn’t really care about security, so they’re just trying to get the lowest paid person they can, or b) they have no idea what the actual job market for security professionals is like in the real world.  If it’s ‘a’, I’d agree with John and say far away from the company; let someone who’s willing to suffer through a thankless job take the role on.  His suggestion for the second part is that you should talk to the hiring team and explain to them what salaries are like in the real world, then walk away until they’re willing to pay what you feel reasonable.  I’ve worked at a lot of companies in my career and I’ve never had this strategy pay personally, but maybe it has worked for others.

I see the effect of companies who just want ‘check box security’ a lot.  Having been a Qualified Security Assessor (QSA) dealing with PCI in a former life, I’m all to familiar with the concept.  I understand that most companies out there still don’t see that security has to be part of core processes in order to be effective and still see it as an impediment to be overcome rather than a selling point for the company.  Besides being directly responsible for the low salary offers, it’s reflected in the low stature the security team is often given within a company.  Of course, there’s the whole argument that we still don’t know how to speak ‘business’, but that’s a drum to beat another day.

Security as a core competency, as  business process that leads to more sales and greater profit is a hard sell and one that’s always going to be difficult to draw a direct correlation to.  I’m lucky in that I work for a company where security is a part of the discussion any time a product is sold, but how do you bring security into the conversation when you sell widgets?  It’s not easy, there are no simple answers and it’s something that each organization has to discover for itself.  The more we can make business aware that a good, well trained security team is essential to the health of the company, the more likely we are to see a willingness to pay salaries commensurate with the market rate for those roles. On the other hand, I’ve been told at a number of places sometimes there is no way of creating that linkage and security will always remain a check box for that company.

What about the new security professionals who are asking for high salaries with just an education and little or no experience?  That’s a hard one for me, since when I started in the security profession the only way to get a job was through experience.  I’d guess that it’s a dark reflection of the demand for security professionals; while in school the student hears again and again about how much demand there is and has unrealistic expectations once they graduate.  Or maybe they’re not that unrealistic after all, since at least some of them seem to get the salary they demand, even if they have to grow into the role they take on.

As a closing thought, one of my coworkers, Brian Sniffen, states

Only contractors are paid spot price. Salary is an annuity.

His point being that if you want the flexibility that creates a high end salary, you have to take the risks that a contractor does, including changing jobs regularly and having an uncertain stream of income.  In security, that risk is probably lower than in many careers, but it’s still a risk that’s there.  I’ve been a contractor and I’ve hopped jobs a lot in my career, which is another way to deal with the pay issue.  I’m not ready to do much of either in the near future, thank you very much.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Sep 04 2014

Congratulations, Rich

Published by under Family,General,Humor,Personal

Wow, it’s been seven years since Rich Mogull left Gartner and started Securosis.  I met him shortly before he took the leap, introduced by a mutual friend, Richard Stiennon.  I worked with Rich and a host of others to organize the first Security Bloggers Meetup at RSA, which is still going, and when I heard he was leaving Gartner, I invited him to participate in the Network Security Podcast with me, a partnership that lasted over six years.  He’s  a good person, a good friend, and someone I truly feel lucky to have met in the security community.

It’s interesting to see the progression any security professional makes in their career.  Many of us reach a certain level and seem to be content to rest there, while others never stop, never slow down and are never content with where they are now.  You can guess which of these two I believe Rich to be.  It’s heartening to see friends be successful, since one of the recurring themes in security is how we’re losing the war and burning out.  Seeing someone who’s still excited by their role, if not waking up in the morning, is a wonderful experience to behold.

Where were you seven years ago?  I was the security manager for a small company that had been in start-up mode for 12 years.  Now I’m living near London, working as Akamai’s Security Advocate for Europe and traveling the world over.  If I look at Rich as a benchmark, I feel a little inadequate sometimes.  But if I look at where I started versus where I am now, I’m happy, especially if I think about how much farther I can go.  I’m happy that my friends have been successful beyond my wildest dreams.

Congratulations on seven years of success to Rich Mogull and the rest of the team at Securosis.  You deserve the prosperity you’ve enjoyed over the years and I hope you have many, many more years of the same.  Just one thing:  Keep your pants on.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 25 2014

An American in London

Published by under Family,Personal

Almost exactly a year ago my family and I moved from Northern California to 20 miles west of the capital of the United Kingdom, London.  It was the start of an adventure that’s exposed us to a new culture, cut us off from most of our friends and family and made massive changes to how we see the world.  We’ve had to make huge adjustments in our expectations, our lifestyle and how we drive, but my wife and I both think it’s been worth it.  The children seem to disagree, if you believe their loud and frequent complaints.  But these seem to be fewer and fewer as time goes by.

The first few weeks we were living in an apartment a few miles from where we live now.  It was a good landing spot while we waited for our shipment to arrive.  But being a family of four in a two bedroom apartment was its own special level of hell when you’re used to having a little privacy from time to time.    Thankfully our stuff arrived in fairly short order and we got to move into the house we’re living in now.  Everyone has their own space, though my wife spends most of her time in the kitchen or her office, while the kids spend theirs on the computer in the reception room we designated their office and I spend mine in an office that was converted from half the garage.  It’s a good house, about 100 yards from the station, with two trains an hour into London’s Waterloo station.

Learning to drive on the other side of the road wasn’t difficult and we’ve only made the mistake of driving on the right side of the road a few times each, thankfully in parking lots for the most part.  Getting used to roundabouts was more of a learning experience and I know I got honked at more than a few times that first month.  Now I’m fully adjusted and wondering why they’re being used so badly in the US, when they really do contribute to traffic flows when used properly.  The biggest problem I’ve had adjusting has been the bathrooms here, with the light switch on the outside, separate hot and cold water taps and toilets that just don’t seem to work as well as I’d like.  There’s also the shopping, but over the last year we’ve managed to decipher the English equivalent of American products, even if it doesn’t always look or feel exactly like we’re expecting.  There are a few products we still can’t get, like proper stuffing and chocolate chips.  But my occasional business travel to the US makes those limitations livable if we’re frugal in using our resources.

The children are the one’s who’ve had the hardest time adjusting though.  School has been a step back for them, since the UK schools don’t seem to be equipped to deal with exceptional children and this has frustrated them greatly.  They miss their friends, which is sometimes harder because they can get on Skype and talk to them whenever their sleep patterns allow.  What they absolutely hate the most is when the wife and I say, “You’ll look back on this when you’re older and realize what a great opportunity it was.”  Tomorrow’s appreciation is for tomorrow, while today’s whining and complaining is for today.   What they don’t realize is that they’ve seen half a dozen countries in the last year, more than many Americans will ever see in their entire life.  I hope they don’t hate us too much until the light of appreciation dawns upon them.

This is the end of the first year in England, with at least two more to go, barring the unexpected.  We’re settled in as a family, I’m settling in more to the role I’ve chosen at work and at least the wife and I are glad we made the choice to leave the US and immigrate to England, at least temporary.   We spent a week December exploring Munich, my wife spent her 50th birthday visiting museums around Amsterdam and we took a train into London on Saturday to explore Brick Market and Old Spitalfield Market.  These are the kinds of experiences we came to Europe to have.  And this week we have both friends and family visiting from the States.  I hope I survive the experience.

We’ll always be outsiders in England.  But life here almost feels … normal.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Aug 24 2014

Last Hacker Standing – Vegas Recovery Edition, Episode 5

Published by under Podcast

“This is not the Last Hacker Standing: Episode IV – Part II Revenge of the @k8em0 that you’re looking for!”

To fill the void in your lives before we release the epic that is Episode IV Part II we got the crew together to chat about hacker summer camp and our personal recovery plans… In a break from the norm (not sure we have a norm yet, but I’m gonna stick with that) we chat randomly about BlackHat, BSidesLV, DEF CON and the burning hell that is Las Vegas.

You may also note that we’ve got an RSS feed now… and we’re also on the iTunes!

If you like the show, make sure to click the “5 stars” on iTunes so less educated people can find us too ;)

Enjoy!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Next »