Network Security Blog

Rich and I are back from RSA, rested and ready to go!  Baah, who am I kidding; here it is four days later and we’re both still so tired we’re barely able to talk coherently.  Not that we’d let that stop us from recording a podcast.  Never has and probably never will.  In any case, we start tonight with a recap of some of our observations of the 2009 RSA Conference and move on to the current media hype over the swine flu.  Use the swine flu as a learning exercise in how to cope with media hype, a good excuse for reviewing your own disaster preparedness plans and a way to get some of the same issues dealt with by your management.  The hours you spend looking at your options today may save you hours or days down the line.

Network Security Podcast, Episode 148, April 28, 2009
Time:  40:06

Show Notes:

• World Health Organization
• Center for Disease Control and Prevention
• Tonight’s music:  Johnny Citizen with Painful Tired

The Verizon 2009 Data Breach Investigation Report is one of the most important articles to be posted to the Internet so far this year if you’re a security professional.  Not only does it give us an honest view into what’s happening in real world breaches, it gives us ammunition to take to management in the form of real numbers from data breaches and what caused them.  Real world numbers are always better than our suppositions when trying to prove something to management.

I got a chance to talk to Wade Baker, one of the primary authors of the Verizon report, last week at the RSA Conference.  We talk about how the Breach Investigation Report, how security professionals are using it and the possibility that Verizon may be releasing their methodology so that other companies who respond to breaches can contribute to the statistics.  Personally love to see a wider variety of breach information added to the statistics so we can see if the cases Verizon is being called in on are the the norm or if there’s something anomalous about their experience.  More data and better statistics can’t help but give us more ammunition to help secure our enterprises.

NSP Microcast RSAC 2009 – Wade Baker from Verizon

We all know it’s going to happen and probably sooner than later; spammers will figure out that people are panicking about swine flu and they’ll start registering domain names and sending out email offering the latest information and drugs guaranteed to stop swine flu.  I’m actually surprised that it hasn’t started already, but I guess even spammers take the weekend off occasionally.

There are a few fairly simple steps you can take to protect your users from being taken in by this spam.  First of all, inoculate them by giving them real information about the swine flu.  Stephen Northcutt has written up a pretty good post with lots of links to important information like what influenza really is and what steps people should be taking to prevent the spread of the flu.  Here’s a couple major hints: wash your hands often and stay home if you’re sick. 

The second step you can take is to keep an eye on the Internet Storm Center.  There hasn’t been much activity in the spam arena around swine flu, but the guys at the ISC will probably be some of the first to let us know when it starts.  It’s not a question of if we’ll get spam related to the current public panic, so keep your eyes and ears open to prevent your users from getting taken in.

The third thing I can’t suggest highly enough is don’t panic.  There’s a lot of media hype around the swine flu, but the reality is, this doesn’t yet appear to be anything much more than our annual round of the flu.  True, it could turn into a lot more and we don’t yet have a vaccine for this strain, but relatively few people have died and most of those appear to be people who were already in a weakened state.  Plan, know what you’ll do if things do turn out to be worse than they appear, but do so in a calm, reasoned way.  Think of this as another incident response drill where you need to think about the steps you’ll need to take well in advance and you’ll be fine. 

Update:  Looks like the spammers started some time early this morning:  Swine Flu spam from McAfee Avert Labs Blog

I’m the first to admit that my own direct experience at forensics is limited, but what I’ve seen has always been done using a set of tools collected and mastered by the individual responding to the incident and that any framework surrounding the response has been developed through experience.  It’s hard work that takes a very specific skill set that only a limited number of individuals have.  I don’t have those skills and admire those who do.

I had a chance to sit down on the show room floor at the RSA Conference and talk to Dave Merkel about Madiant’s ‘red box’ Intelligent Response (MIR).  Intelligent Response allows the forensics responder to collect important information from a large number of hosts quickly, and more importantly, consistently.  Once the vector of infection or attack has been identified, MIR can be used to scan the systems with very specific instructions, allowing the specialist to find other compromised systems quickly and with a high degree of confidence.

Dave Merkel and I talk about how Madiant works as well as his opinions about recent news of breaches and compromises.  If anything, Dave thinks some of the reports on SCADA compromises may be under reported, something that really makes me worry. 

NSP Microcast RSAC 2009 – Dave Merkel from Madiant

Bill Pennington did an excellent job of taking pictures at the Security Bloggers Meetup last night.  You can view them on Flickr or on Facebook.  And just in case you can’t recognize the people in the pictures at a glance, they’ll be tagged with right names over the next day or two.  Gee, I’m surprised most of the pictures of me include a mic in my hand.  Go figure.

This is me letting go a huge sigh of relief.  The Security Bloggers Meetup is the one event I look forward to more than any other at RSA and at least as much as any event at the security conferences I attend.  But it’s a huge amount of work, a lot of stress and when it’s all done, there’s a huge burden lifted from my shoulders.  Which is why one of my first thoughts after the party was over is to begin the planning for the RSAC 2010 Security Bloggers Meetup.

The Meetup went almost flawlessly, with the exception of the streaming video of the Social Security Awards; for various reasons I was unable to log into uStream or reset my password, therefore the video had to be scrapped at the last minute.  However, we were able to catch all of the event on high quality video and will be putting the Social Security Awards and over a dozen other video interviews up on YouTube over the next few weeks. 

I don’t know what the official count on attendees was, but we had nearly four times the space this year that we had last year and we were still fairly crowded together.  There was enough room for people to separate a little for private conversations, but not much more. Most importantly though was the fact that everyone I’ve talked to so far who went had a great time at the event.

A huge congratulations to the winners of the Social Security Awards last night!  PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman from Security Incite won the Most Entertaining blog.  Now we just need to get Mr. Rothman to start posting again.

A big thanks to my fellow committee members who made last night possible.  Rich Mogul, Sonya Caprio, Alan Shimel and Jeanne Friedman all put in a lot of hours making this happen.  But the woman who deserves the lion’s share of the credit is  Jennifer Leggio.  Without Jennifer, the Security Bloggers Meetup wouldn’t have happened!  So if you see Jen somewhere at RSA or encounter her elsewhere, give her a big thank you for putting on the Security Bloggers Meetup. 

I caught up with Gary Palgon, VP of Product Management at  from nuBridges.  nuBridges is a tokenization vendor, meaning that they provide a way for a business to use a value that is hashed from the original data but can’t be reversed to discover what the original value is.  In the case of many of the people I deal with regularly, this would mean credit card numbers.  The merchant supplies the card number to the tokenization server, the server stores the card number in a safe, encrypted fashion and a token is used in place of the original card number anywhere it’s needed in the enterprise.  Because only the token is stored in most places throughout the enterprise, the scope of a PCI assessment is greatly reduced and cardholder data is much more secure than if it was in each of the datababases.

nuBridges has announced Format Preserving Tokenization, which allows the user to create a token that meets a wide variety of needs, such as keeping the string length or preserving the last four digits of a card number as part of the token.  This allows for uses such as allowing a customer’s ID to be verified by asking the last four digits of a social security number without revealing the whole number. 

NSP Microcast RSAC 2009 – Gary Palgon from nuBridges

Rich and I tried our best to get a podcast recorded and posted last night, and we were partially successful; at least we got the podcast recorded.  But the editing and posting part was well beyond my capabilities once I got back to the hotel room last night.  But it’s here, bright, shiny and new first thing in the morning.

RSA has been a hectic and exhilarating event so far, and the best part is yet to come!  Rich and I had just finished our panel discussion, Avoiding Security Groundhog Day, and were joined by Rich’s partner at Securosis, Adriane Lane.  We found the quietest spot possible at RSA, which happened to be the near the top of the escalators.  Yes, quiet space really is that rare at RSA. 

Network Security Podcast, Episide 147, April 21, 2009
 

I’m getting to talk to a lot of interesting people from parts of our industry that I might never have had access to before, thanks to the Forum of Incident Response and Security Teams.  This week’s example is Jeff Carpenter the technical manager at the CERT Coordination Center.  Jeff is also one of the people responsible for organizing this year’s FIRST Best Practices Contest.  This year the topic is Detect, which is a topic near and dear to Jeff’s heart, since that’s a large part of what he does in his day to day life.  We talk about last year’s contest, what’s going to be happening at the event in June and what it’s like to work at one of the oldest CERT teams.

The deadline for submissions to the FIRST Best Practices Contest 2009 has been moved to May 11, 2009.  It’s $5000 for first prize, so if you have a paper you think might be worthy, take the time to enter.

FIRST Podcast, Episode 2:  Jeff Carpenter, CERT-CC and Coordinator of the FIRST Best Practices Contest

It’s gotten pretty normal for me to accumulate a number of open tabs in Firefox and then flush them all out Saturday morning by writing a short blog post with links to all the important stories.  Except I’m looking at my calendar for the next ten days and the only thing I can do is groan.  Training all day tomorrow with the Cub Scouts so that I can officially take the boys camping and make it apply for their badges, a trip to Oakland on Sunday, then RSA and everything involved with it, then capping it off with a Cub Scout Camporee next weekend as soon as I get back from RSA.   Then there’s a week of catch up and another camping trip, this time with my father and brother.  So if you haven’t heard from me in a week or so after RSA, you’ll at least have some idea of why. 

• A toy I want:  Toool credit card emergency pickste v2.0 – I don’t see how I’ll be able to get my hands on a set of these before Defcon, but I’m keeping my eyes open.
• Exotic Liability podcast – I haven’t listened yet, but there’s a lot of buzz on twitter about this new podcast.  Speaking of new podcasts, Rich was on the latest episode of Beyond the Perimeter with Amrit Williams.  
• You knew about the 2009 Data Breach Investigation by Verizon, but did you know they’re having a roadshow in support of the paper?
• Incident Response vs. Incident Handling – I’d never really thought about this before, but it makes sense: it’s the job of the incident handler to keep management off of the back of the incident responders.  
• Role of Bush NSA plan under review – Nooo, this isn’t a power grab at all.  And it’s all in the best interest of the country.  Really!
• Guess what?  SSH again! – Better check your passwords, brute force attempts against SSH servers are on the rise again.
• Hacking Internet backbones – it’s easier than you think – Black Hat always turns up the juiciest secrets.
• The Pirate Bay four found guilty – My bittorrent client is weeping.