Archive for February, 2008

Feb 29 2008

We’ll be coming to you live from RSA

Published by under Blogging,Podcast

RSA 2007 was a lot of fun.  I was working with Podtech covering the event from different vendor booths, I got to wander around with a press pass and be bothered by marketing folks every other step and I had just resigned from a job I was extremely frustrated with.  And then there was this little event called the Security Bloggers Meetup that garnered a little attention and spawned the much maligned “59 Top Influencers in IT Security” list.  We had a blast last year, and as much as I wish I could take credit for organizing the event, Rich Mogull did most of the work and I just stepped in at the last moment when he had to bow out due to pressure from his (now former) employer.

Last year’s event was a ton of fun, and this year’s promises to be even better.  We already have more bloggers signed up to attend than last year and I’m sure more will be coming as the date draws closer.  Quite frankly, I won’t be surprised if we end up exceeding the capacity of our venue, even though this is an invitation only event.  If you are a security blogger, podcaster or something else that can be vaguely called ‘social media’, contact Jennifer and get your own invite.  But do it soon!

There’s two things I’m especially excited by for this year’s blogger meetup:  We have an official page on the RSA website and the Network Security Podcast will be covering the event live, with video and live interviews at the event.  The folks at RSA have recognized the value of and, for lack of a better term, influence bloggers have on the security scene and are whole-heartedly embracing the event this year.  There’s even a Twitter feed (@RSABloggers2008) for up to the minute information on the event. 

For those of you who can’t make it to RSA this year, Rich and I will be covering the event live with streaming video, provided there are no technical difficulties.  I’m working on ironing as many of those out as possible before April 9th.  Don’t be surprised if you see one or two video’s pop up here in the near future as I’m figuring out how to make my camera and various microphones work with my Mac Book Pro.  We’ll be doing interviews with various bloggers, podcasters and any other security folks who manage to find their way into the party.  Just don’t expect us to take it too seriously, since we want to have fun too!  After the event, the video will be posted on the RSA website and probably on the sites of many of the people who attended.  If I can find the time, I’ll edit it down from the two hours of recording to the 15 minutes of real content we get.  :-)

I’m jazzed to be part of this event for the second year in a row.  And we’re already talking about the 2009 meet-up.  Thanks to StillSecure, Fortinet and Microsoft for sponsoring the event and allowing us to be able to talk to our peers, compare notes and drink.  I’m not much of a drinker, but I may have to make an exception this year.  Once we turn the cameras off that is. 

If you’re a blogger and haven’t already signed up for an RSA press pass, do so soon.  And if you happen to be on the East Coast, there’s another event coming up, SOURCE Boston that’s also looking to give bloggers press passes.  How long until we see something like a ‘social media pass’?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 27 2008

Heading for BaySec

Published by under Simple Security

Heading to San Francisco and Pete’s Tavern for BaySec in a few minutes. Hope to see some of you there. Sorry for the late reminder, I’ll try to post on BaySec a day or two ahead of time from now on. If only we could get someone to update the BaySec site in a timely manner. At least I’m in town for this one, instead of some exotic location like Montreal or L.A. Of course, I’m headed to L.A. tomorrow, so tonight will have to be fairly short.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 27 2008

PCI is just the beginning of security

Published by under PCI

What do I need to log? What product will make me PCI compliant? Can you give me a list of acceptable services to run on my Windows 2008 server? Where’s the punch list of things I need to do to be compliant?; These and a number of other ‘silver bullet’ questions are things a PCI assessor hears on a daily basis. And we’re not the only ones if Dr. Chuvakin’s recent post is any indicator: IT managers want to know exactly what they need to log to be PCI compliant. Unluckily, the answer is “it depends”. There is no list, no resource to refer to, no silver bullet for compliance and despite many marketeers’ wishes, there probably won’t be. Unless we want to make every network out there exactly the same that is.

That’s the real reason that Anton can’t answer the question of logging for his customers; each network is different and what’s good for one client might leave gaping holes in another network. Even networks that are using the same types of switches, routers and servers still have enough variation that what’s good for one won’t be enough for another. And just as logging nothing isn’t an acceptable solution, logging everything isn’t acceptable because someone has to actually sit down on a daily basis and review the logs. A recent comment on a mailing list I read asked “who did you piss off to be put in charge of the Linux logs?” It’s tedious work under the best of situations.

The PCI DSS is about risk mitigation (or risk transference, depending on your point of view). It list a minimum set of standards that merchants and service providers must meet to do business. The risks each business face are unique and no one can honestly give a cookie cutter approach or a product that meets all the requirements. Even implying that a product is going to solve your problems out of the box is at best bad marketing and at worst an outright lie. No matter what product you choose, customizing it to your environment is going to be vital. Not that I have strong feelings on the subject.

So what is the use of the PCI DSS if there are no real solutions? It’s a starting point to make your network secure. And that’s all it is, a starting point. It’s a minimum set of standards, not an end point in and of itself. And this is the place many merchants and service providers fail in that they think once they’ve received the blessing of their auditor for PCI they’re done securing their network. But anyone who’s relying on a PCI assessment to prove that they’re secure is missing the point of PCI and doing their company a disservice.

We all know of a company who was ‘PCI compliant’ but got hacked a lost millions of credit cards due to an improperly secured wireless network. I can only guess they got their letter of compliance, let lose with a big sigh of relief and went on to other projects. Which is exactly why they ended up as front page news. They made the mistake of believing PCI compliance equated to security. And they’re still paying the price for that assumption.

PCI is a starting point for your security programs. It’s a tool to get management to pay for implementing technologies and projects that can secure your network. It can be used as leverage to do the things that really will protect your network. Yes, there are points in the PCI DSS that won’t apply to many businesses but have to be complied with anyways. Luckily, those items are in the minority and the majority of PCI items are things every business should be doing. Your assessor has the job of making sure you’re network and systems meet with the PCI standards and will hopefully have suggestions for continuing beyond PCI to make your business secure. But the fact is, an assessor has to audit to the standards; they can make suggestions beyond PCI, but that’s all they are, suggestions. It’s up to you to take those suggestions and continue the efforts to secure your business.

I’ve been on both sides of the PCI aisle and have a pretty good idea of the problems and benefits of PCI. Obviously I view it as a jumping off point to go beyond just securing credit card data. The same tools that secure your card holder data environment can be used to protect the rest of your network. PCI can and should be used as an agent for change, giving you good guidelines for basic security. But it’s up to you to implement them in the way that best suits your environment and find any holes that PCI and your assessor may have missed. After all, your assessor is human and just as likely to miss something as anyone else; they just have a checklist of things they have to verify.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Feb 26 2008

Network Security Podcast, Episode 95

Published by under Podcast

Rich and I are back after a short break for the doctors to rip open Rich’s shoulder and move things about. We recorded a little earlier than usual so he can take some of his drugs and go back to sleep. He’s going to be recovering for quite a while, but hopefully the pain will soon subside to the point where he doesn’t need Percodine much longer. We had a lot of interesting articles to talk about tonight, but the thing you’ll want to watch out for is a contest Rich’ll be running on Securosis.com in the next week or so. It’s his contest and I don’t know all the details yet, so keep your eyes open.

We’ll be covering RSA together, and with any luck we’ll be doing at least a short podcast from the showroom floor each day. We’ll also be doing a live video stream from this year’s Security Bloggers Meetup, so if you want to watch a bunch of security professionals stand around and shoot the breeze, stay tuned. We’ll be doing one or two interviews while while we’re there, so it’ll be more than guys BS’ing. Again, there’ll be more details to follow.

Show Notes

[display_podcast]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 21 2008

It’s just coincidence, honest

Published by under Hacking

So the week I’m in Montreal there’s a total lunar eclipse and the Montreal police bust a ring of hackers ranging in age from 17 to 26.  I want to state for the record that I had absolutely nothing to do with either event, though I got some really nice pictures of the eclipse.  All I had to do was drive 15 miles north to get out of the light pollution and sit in -15C for a couple of hours.  I think busting the hackers took a little longer and that the police had nice warm offices to sit in.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Feb 19 2008

No podcast tonight

Published by under Podcast

Rich had shoulder surgery recently and I’m in Montreal with very
limited internet access from my hotel room, so there won’t be a podcast
recorded tonight.  Which is too bad given that there are some very
interesting things going on this week: the WikiLeak site has been shut
down by a judge in California and some of the telecommunications
experts in the middle east are saying the cable cuts last month may be
sabotage.   I guess we’ll have to talk about that next week.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 17 2008

Headed North for a few days

Published by under General

I’m going somewhere I’ve never been before this week, specifically Montreal.  I’ll be there tonight through Friday morning, spending most of my time working with a client.  However, I won’t be working at night, so if there are any security professionals in the Montreal area who want to meet up for a drink and to shoot the breeze, drop me an email or give me a call on my cell.  My contact information is in the ‘About’ page, but I’m not going to reprint them here, just to avoid one more place for scrappers to find the information.

I am looking for some ideas of things to do while I’m in Montreal, so suggestions will be appreciated.  I’m finally get to find out what the big deal is about Tim Horton’s coffee and potene (spelling?), two topics that come up often on the CISSP mailing list.  I feel confident that I can make a objective judgment about which is better, Tim Hortons or Starbucks. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

Feb 15 2008

Our government loves us!

Published by under Government,Humor

I’ve been staying away from the topic of the abuse of the FISA courts, illegal wiretapping and the Republican cries of “if you don’t pass this law, you’re supporting terrorism”, but this video sums it up so well.  Making the Executive Branch of government answerable to the Judiciary branch isn’t supporting terrorism, it’s supporting our civil liberties, something we haven’t seen much of in the last 6 years.   You owe it to yourself to watch this video, if only for the laughs.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 15 2008

Apply for a press pass at RSA

Published by under Blogging

If your a blogger or a podcaster in the security arena, do yourself a favor and apply for a press pass for RSA 2008.  I don’t know what the criteria is for approval, but the bar isn’t incredibly high nor is the process very onerous.  Ten minutes worth of paperwork might get you a free press pass to the event, which will make selling RSA to your boss or significant other much less painful.

This will be the third year in a row I’ve attended RSA with a press pass, as well as attending BlackHat, Defcon and Shmoocon with press credentials last year as well as several other events.  There hasn’t been a single case of a my being turned down yet, as long as I made the effort to apply.  Most of the security events have realized the influence bloggers and podcasters have, making them eager to have us attend.  After all, anything that gets events more publicity is a positive in the eyes of the PR folks, who are usually the gate keepers for press badges. 

A press badge gets you in just about anywhere at RSA, at least that’s been my experience.  We get a special area to sit at the keynote speeches, though I rarely attend those. They have a press room where you can take a few quiet minutes to relax or catch up on email and blog, and there’s often food.  Vendors make all of their material available in one place, plus the usually put a few tchotchkies there you won’t find anywhere else.  The only downside to getting a press pass is the influx of press releases and requests for interviews you’ll get.  That’s not necessarily a bad thing, but you’ll need to learn to be a bit more judicious in your use of email filters.

A full conference pass costs $1725, $2125 after March 8th.  A press pass is free.  Starting up a blog today just so you can get a press pass probably won’t do you much good, but if you’re already a blogger it can’t hurt to ask nicely.  And it helps a lot in stretching your training budget for the year.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Feb 15 2008

Scary concept: Friendly worms

Published by under Malware

This isn’t a new idea, the concept of creating worms that patch your computer when you catch them. There are even some malware out there now that patches vulnerabilities on systems to make sure other worms can’t exploit the same vulnerabilities. But the problem is, if both beneficial and malign software show the same basic behavior patterns, how do you differentiate between the two? And what’s to stop the worm from being mutated once it’s started, since bad guys will be able to capture the worms and possibly subverting their programs.

The article isn’t clear on how the worms will secure their network, but I don’t believe this is the best way to solve the problem that’s being expressed. The problem being solved here appears to be one of network traffic spikes caused by the download of patches. We already have a widely used protocols that solve this problem, bittorrents and P2P programs. So why create a potentially hazardous situation using worms when a better solution already exists. Yes, torrents can be subverted too, but these are problems that we’re a lot closer to solving than what’s being suggested.

I don’t want something that’s viral infecting my computer, whether it’s for my benefit or not. The behavior isn’t something to be encouraged. Maybe there’s a whole lot more to the paper, which hasn’t been released yet, but I’m not comfortable with the basic idea being suggested. Worm wars are not the way to secure the network.
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Next »