Archive for June, 2009

Jun 30 2009

The Network Security Podcast, Episode 156

Published by under Podcast

Martin is off in Japan this week, so I’m joined by our good friend Amrit Williams from BigFix and the Techbuddha blog. Amrit and I start off by talking about the rolling blackouts in California and disaster preparedness, before jumping into the week’s security news.

<Martin>  I’m off in Japan, but not forgotten.  I’m almost afraid to listen to my podcast!  You’d think that by now I’d have gotten comfortable handing off the podcast while I’m away by now</Martin>

Network Security Podcast, Episode 156
Time:  41:28

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on The Network Security Podcast, Episode 156

Jun 29 2009

FIRST 2009: Dr. Suguru Yamaguchi

Published by under General,Podcast

I had the opportunity to talk to Dr. Suguru Yamaguchi, Professor of the Graduate School of Information at the Nara Institute of Science and Technology, member of the JPCERT and advisor on Information Security for the National Information Security Center, Cabinet Office Japan.  Dr. Yamaguchi presented the opening keynote for the FIRST 2009 Conference here in Kyoto, Japan and talked about Information Security Management  and Economic Crisis.  And at least as interesting for me was having my questions translated into Japanese and asked to Dr. Yamaguchi again to answer in his native language. 

Two of the points I found intensely interesting about Dr. Yamaguchi’s talk were his assertion that businesses should be investing in technology during the down turn rather than cutting back, because the investment now may be what enables there survival and his observation that compromises have an affect on company sales in the Asia Pacific region.  I don’t believe we’re seeing the same sort of downturn in sales when a compromise happens to an American company and would like to know why there is such a difference.

FIRST 2009 Episode 7:  Interview with Dr. Suguru Yamaguchi – Japanese

FIRST 2009 Episode 7:  Interview with Dr. Suguru Yamaguchi – English

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jun 25 2009

Heading to Kyoto: Who do you want to hear from?

The wife and I are all packed, the house sitter has been briefed (“Just don’t burn down the house while we’re gone”) and we’re heading off to the airport in a few minutes to fly to Kyoto, Japan to attend the 21st annual FIRST Conference.  The folks at FIRST have tapped me to be the media sponsor for the event this year and I’ll be blogging, tweeting and conducting interviews live on the floor of the conference.  There is a very interesting group of international speakers who all work in the incident response field, some (like me) less than others.  So here’s my question to you:  Who would you like to hear me interview from the list of speakers in Kyoto?  Leave a comment on the blog, tweet me (@mckeay) or send me an email and I’ll do my best to get an interview with your target of choice.  The interviews will be posted within a few weeks after the conference and I’ll try to sneak one or two in while I’m there.

Note to Rich:  Don’t burn down the podcast while I’m gone!

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Heading to Kyoto: Who do you want to hear from?

Jun 25 2009

10 Things Dave wants you to know about auditors

Published by under PCI,Simple Security

I really wish I could disagree more with Dave Shackleford and his post, 10 Things Your Auditor Isn’t Telling You, but I think he’s really hit it on the head with this one.  And hit it hard.  He starts the post by saying he’s not trying to be mean, but as a PCI QSA, there are a couple of times I had cringe, because it really hits close to home.  It’s tough, because some of the points he makes are almost unavoidable in an audit process while others are signs of an industry that needs more skilled practitioners than are currently available.  And his final point is definitely true: the people at a company I’m assessing may like me as a person, but I have yet to meet someone who actually likes the process of being assessed and doesn’t channel at least a little of the dislike back to the assessor.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jun 23 2009

The Network Security Podcast, Episode 155

Published by under Podcast

We start the show off by wishing Martin luck with his presentation at the FIRST conference in Kyoto, foolishly trusting Rich with the keys to the podcast. Then Rich fawns over his iPhone 3GS a little too much, but he does manage to talk about some cool new security features.

Rich also rants a little on one of our PCI stories, and Martin updates us on his XBox wireless situation. Finally, we geek out a bit on Adam Savage appearing at DefCon.

Network Security Podcast, Episode 155
Time:  35:28

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on The Network Security Podcast, Episode 155

Jun 22 2009

NRF Letter to the PCI Council

Published by under PCI

The representatives of the National Retail Federation and other associations sent a letter to Bob Russo of the PCI Council on June 8th.  While the letter makes a couple of interesting points, it’s mostly smoke and mirrors meant to draw attention away from the fact that many merchants don’t want to spend the time and money to become PCI compliant.  Request number five really bothers me because the NRF is asking the PCI Council to quit requiring merchants to retain credit card information for potential charge backs.  There’s only one problem with that:  the PCI Council has no control over what data a merchant has to keep for charge backs, it’s entirely between the acquiring bank and the merchant.  The rest of the requests by the NRF are also have logical weaknesses that I just don’t have the time to chew up and spit out properly.

Update:  Anton had the time and guts to do what I didn’t, which is tear apart the letter to the PCI Council.  I do like how he questions the mention of Sarbanes-Oxley as a positive example of how regulation should work. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Jun 20 2009

Saturday morning reading for 06/20/09

There have been a lot of stories this week I wish I had the time to write about, but given the choice between blogging or getting ready for traveling to Kyoto, Japan to speak at and podcast from the FIRST conference, preparation has been winning out.  My wife is going with me and she’s been shouldering a lot of the mundane, pedestrian tasks, but I don’t think she can write up reports for me or get ready to make presentations in my place.  Of course, if I could teach how to do those things for me I would have a lot more free time; which I’d probably fill up immediately with more blogging or maybe tweeting.  Spending more time on Twitter is exactly what I need (that’s sarcasm, for anyone who doesn’t follow me on Twitter).  As silly as it may sound, I’m also starting preparations for Black Hat and Defcon, even though their nearly six weeks away.  By the way, it was revealed late yesterday afternoon that Adam Savage from the Myth Busters will be speaking at Defcon 17!  My kids may force me to take them to Las Vegas just so they can see him.

First off, I have a cluster of stories on PCI.  MasterCard stunned a lot of us this week by changing the requirements for Level 2 merchant, making it mandatory for them to have an annual audit by a Qualified Security Assessor (QSA) by December 31, 2010.  I still haven’t talked to anyone who had an idea this was coming, other than in very general terms, so it’ll be interesting to see how this will this plays out over the next couple of months.  I need to catch up with Avivah Litan some time and find out where Gartner’s negative view of QSA’s come from.  Three more PCI stories that are related are “Weak Security enables credit card hacks” from AP, “Security issues weigh most heavily with acquirers, research says” at Digital Transactions and “Best practices for protecting banking sites” at  It’s good to have a story with some solutions, or at least ideas, to go with some posts about all the security problems we’re facing. 

Next up is a couple of stories about some of my co-workers.  The guys over at Spider Labs got called in to look at some malware that was found on ATM machines in Europe.  With the right ATM card and a few keystrokes, bad guys could have the ATM machines spit out reciepts with card numbers, PINs, expiration dates and nearly everything else that’s on the Track 2 data.  Then the software can quitely erase itself so minimal evidence is left behind.  The You Shot the Sheriff conference is going on this weekend in Sao Paulo, Brazil and a pair of the guys from Spider Labs will be presenting on Rich Internet Applications and the risks they pose.  Potential disaster because of Silverlight and Adobe AIR?  Not possible (again with the sarcasm).

Finally, I have four unrelated stories:  First of all Jeremiah Grossman is asking the Feds to make it legal to hack .Gov and .Mil sites.  We know these sites are mostly insecure, we know hackers are already attacking them, so why not set some rules of engagement and let white hat and grey hat hackers attack them as well, provided they report the findings back to the site owners?  The idea has some merit, but I’m still on the fence for this one.  Speaking of government web sites, the Department of Homeland Security now has a blog.  Now if Secretary Napolitano would just stop by the Bay Area for a short chat like her predicessor did, I’d be very happy.  Of course, it may be that asking lighting to strike twice is unreasonable of me, but I can dream.  Dave Shackleford has a post about an interesting book, “Adventures of an IT Leader“.  I don’t have time to get a copy from Amazon for the flight to Japan, but it sounds like interesting reading. 

The last story is “the evolution of a blogger’s ego” by Jason Alba.  Any blogger who says they don’t have a fair amount of ego tied to their writing is lying, either to themselves or to you.  It’s not a bad thing to be proud of your writing, but some of the yardsticks bloggers have been using to measure their success have been superceded by new measurements.  Comments on your blog used to be what’s important, now it’s how many tweets, retweets, friendfeed comments, etc. which are important.  The conversation’s getting more and more fragmented between bloggers and their audience, but it’s also getting more interactive daily. 

I’ve got another PCI related post to write this weekend, so that’s it for now.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Saturday morning reading for 06/20/09

Jun 17 2009

Level 2 merchants are going to have to get serious about PCI

Published by under General

Branden Williams at Verisign just posted that MasterCard is now requiring an on-site assessment for all Level 2 Merchants by a QSA.  This is huge because the Level 2 Merchant merchants have historically been able to simply fill out a Self-Assessment Questionnaire (SAQ) and call their PCI compliance done.  According to Branden, 30% of the answers merchants have been giving on the SAQ’s have been wrong and I’m willing to bet the wrong answers are little areas of compliance like log management and encryption.  You know, the small things that can be fixed by throwing a ton of money and time at them, if you have either in the current economy.

From a business perspective for QSA’s and their companies, this is huge.  The compitition to provide services to Level 1 Merchants and Service Providers hasn’t hit it’s peak yet, but it’s much harder than it was a couple of years ago.  I doubt many sales people were sweating and wondering how they were going to make their quota yet, but know they could see the issue coming.  Now they just have to go back and look at all the Level 2’s who they’ve been providing othe services for and they can start making all those calls to upgrade to having that QSA come on-site. 

This might be a good time for someone with access to such statistics to take a baseline of comprimise statistics and start seeing if the PCI requirements really are making us more secure or not!  Rather than having the constant argument of “it’s working/it’s just smoke and mirrors”, take a snapshot of what we know right now and let’s see if making the Level 2 Merchants have an on-site assessment is really working.  The Verizon Breach Report may be an excellent starting place for such statistics, especially when we’re able to review the stats year over year.  We won’t really be able to make the call until after the December 31st, 2010 deadline, but we need to get that baseline measurement in place now so we can see the affect.

I am guessing that there’s going to be a lot of QSA companies that get bigger this year as well as a whole slew of new companies started just to deal with the Level 2 Merchants.  I’m hoping that the quality of the assessors doesn’t fall because of the huge influx of QSA’s we’re needing to handle the work.  I have a pretty good idea what some of my collegues in the security field have of existing QSA’s, so I really don’t want them to have more ammunition to use in the battle over whether or not PCI is effective.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

Jun 16 2009

Network Security Podcast, Episode 154

Published by under Podcast

This week we had a chance to talk to Jeff Moss, the founder of a couple minor security events, Black Hat and Defcon.  Of course some would say that they’re the biggest social events of the year, along with having the best presentations on cutting edge security research, but what do they know.  A lot apparently, given the number of security professionals and hackers who’ll be be making the trip to Las Vegas at the end of July to attend both of these events.

Jeff was recently asked to be a part of the Homeland Security Advisor Council, a diverse group of sixteen individuals who will be advising the DHS and Secretary Napolitano on the security concerns they’re seeing in the real world.  This group includes Govenors, both past and present, Mayors, CEO’s and Presidents, though Mr. Moss is the only computer security expert.  Jeff is still learning about what this really means, but we spent a significant part of the interview talking about what it means and the agendas he personally would like to see pushed at the DHS.  One of his big concerns is the tradeoff we’re making between security and privacy and if anyone is taking steps to measure those tradeoffs. 

Network Security Podcast, Episode 154, June 16, 2009
Time:  45:34

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 154

Jun 15 2009

It’s the little things that get you noticed

Published by under General

Over at the Information Security Leaders they posted about resumes and how the little things may not seem important to you but may be the thing that looses you the next job opportunity you’re looking for.  You know, the little things, like running a spell checker on your resume before you send it out or making sure your your verbiage is correct and the spacing between paragraphs is right.  It’s amazing how many people forget to do these simple things that are so glaringly obvious to the people who are reviewing the resumes.  The thing to remember is that the people who review resumes are looking for reasons to throw out as many resumes as possible before they really get down to the nuts and bolts of seeing who’s left in the stack and if they actually qualify for the position.  I remember when most resumes were still sent on paper and people sent resumes on odd color or outsized paper in order to get noticed.  Those resumes got noticed for certain, but it was because it was another one of those things HR departments use to filter out the resumes they won’t bother reading.

One of the things that many people fail to remember is that critical review doesn’t stop once your resume has been handed off to the hiring manager or even once you have the job.  The small things we do on a daily basis accumulate to become our reputation, often even more than the big events in our life do.  Being on time, being clean cut and neat, being the guy how always has something nice to say in the morning are all positive factors; being the guy who never does anything outside his job description, never stays late or just has a bad attitude whether it’s Monday before the first cup of coffee or Friday before the first beer all reflect negatively on you.  I’ve been every one of those people at one time in my career, and you probably will be too.  Even if you think people don’t notice, there’s always someone who’s watching and tabulating your ‘reputation score’.  They may not even be aware of it themselves, but that day you sneak out early is the day your co-worker thinks “There’s Martin leaving early.  Again.”  He may not have consciously realized he’d seen you leave early before, but it registered where it’s important.

Most of us aren’t thinking about our reputation when we’re writing our resumes, but it’s vital that we realize that the resume is the first step in building what could be the next step in our professional reputation.  A sloppy, poorly formatted, misspelled resume may get you a job eventually, but it’s a negative momentum that has to be overcome in the hiring process rather than a tool to showcase your talents and strengths.  And when you’re at the level of  ‘just let me get the interview’ even a little bit of negative momentum is often too much to overcome to get your next job.

I hate writing resumes.  I’m good at it, but I absolutely hate categorizing and listing my strengths and talents.  I’ve had basically the same resume for five years because of it.  But I have made absolutely certain that there are no typo’s, that the formatting is correct and the important facts are clearly laid out and easy to see.  I have a spare page in my ‘draft’ resume that’s nothing but bullet points I can use to replace the ones on my resume to craft the resume for the next job I submit the resume for.  It’s not sexy, it’s not fun and writing a resume will never be something I enjoy.  But as much as I hate resume writing, it’s all to often the only way I’ve been able to go from being a faceless name on a page to having the coveted title of ’employee’.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Next »