Network Security Blog

Usually I try to find the time to blog first thing in the morning, but today was way too busy to allow for anything nearly as relaxing as blogging.  I spent two days traveling to and from a client site last week and then two more days at the BayThreat conference, with only Sunday at home to relax and play Skyrim … I mean spend with the family.  BayThreat was a ton of fun; my co-worker Mike Smith gave a presentation called “Zerging is for Chumps” and another friend, Gillis Jones gave his first talk, “Show me the Money”, just to name a few.  It’s interesting to go to a convention where you can almost talk to every attendee if you put your mind to it.  And you know I gave it a pretty good try.  Anyway, I’m off for more flying around the country again this week and have a ton to do in the mean time, so this may be the only chance I get to post this week, other than the podcast.  Presuming I can get that done with Zach this week.

Open tabs, 12/12/11:

• The iPhone is about to become the FBI’s newest crime-fighting partner – To check fingerprints faster, not to look at phone logs. For now at least.
• Kaspersky Lab quits Business Software Alliance to protest SOPA – Way to go, Kaspersky!  Glad someone in the community is doing something solid about this horrible idea.
• My keynote talk at BSides DFW – I can’t watch!
• Senator wants answers from DHS over domain name seizures – We’re no longer the land of the free when the DHS is charged with treating potential piracy as if it was an act of terrorism.  They have way too much power to grab and forget without judicial oversight!
• MPAA Boss:  If the Chinese censor the Internet without a problem, why can’t the US? – People like this are why the DHS needs oversight.  And shouldn’t be involved in copyright enforcement to begin with.  
• The Infosec Naughty List & the Twelve Charlatans of Christmas – I’m just glad I didn’t make the list.  Or did I, by inclusion?
• Who knows what Youhavedownloaded.com – I’m of mixed feelings about this site.  Not surprised they can track you that easily, though.

it was a fun Halloween, or at least as much fun as it can be if you spend the whole day home working.  It would have been fun to be in the office today to see my co-workers in their costumes, but I had far to much to do to make the commute to my office.  Tomorrow, however is a different story.  We’ll actually have a podcast this week, since I sat down and talked to HD Moore and Josh Corman about “HD Moore’s Law”.  If you don’t know what that is yet, tune in tomorrow.

Open Tabs 10/31/11

• Hackers press the ‘Schmooze’ button – Explaining social engineering to non-security people.
• GCHQ Chief reports ‘disturbing’ cyber attacks on UK - Gee, ‘thousands of attacks per year’.  Wonder how they calculated that number?
• Unmasking the criminal hacker – Yeah, genetics explain it all perfectly.  If only it was that simple.
• Met police using surveillance system to monitor mobile phones – I hope these systems have some heavy duty auditing capabilities as well.
• China denies it is behind the hacking of US satellites – I have to admit, I think it’s the Chinese AND it’s just a play by the people writing the report to get political cred.
• Outsmarted: Captcha security not much of a gotcha – Botnet or social engineering, they’re just a speed bump.
• Brad Smith, aka Nurse, had a stroke at Hacker Halted – If you can contribute a few dollars to help defray his hospital bills, it would be appreciated!

The problem with having a body clock that thinks it’s on the East Coast even when it’s not is that I’m up early no matter what day of the week it is.  I’d like to sleep in, but once thoughts of CDN’s and presentations start dancing in my head, it’s time to get up.  Which is okay, since there’s a lot to do this weekend before I head to Miami and Hacker Halted on Monday.  I’m going to be presenting with my good friend and former colleague, Mike Dahn.  Then it’s back home for a few days and off to BSides DFW for a completely different presentation.  The next trip after that is with the family, so the only commitments I’ll have is keeping the kids out of trouble.

Open Tabs

• Secret iOS business; what you don’t know about your apps – We’re in an age where I phones tattle on us all the time.  Or leaking information.  Or just plain insecure.  Scary, isn’t it?
• HOW TO: Spy on the webcams of your website visitors – If the patch isn’t out already, it should be soon.  But I unhooked my webcam already.  Mostly because I leave it unconnected.
• New security threat:  Infected QR codes – No surprises here.  Someone posted huge QR codes at Defcon this year.  If you used one, you got to see Goatse pictures.  Yay!
• Anyone with a Smart Cover can break into your iPad2 – Along with being able to use Siri without unlocking the 4S, Apple’s made some bad default settings lately.
• AntiSec targeting law enforcement in support of Occupy Wall Street – I think AntiSec is going after police servers because the financial company servers are too hard for them.

A couple late additions, since I’m waiting on the next cup of coffee to be ready:

• How security pros can leverage PCI compliance initiatives – Why aren’t you doing this already?
• Calvin and Hobbes explain Occupy Wall Street – Watterson is an absolute genius!

I used to post some of my reading material at least daily, but got out of the habit because I was using the posts to fuel the podcast.  But since I’ve been bad at posting anything at all lately, I’ve decided that I should post at least every few days the articles I’m reading to keep myself up to date.  I know I could use something like Instapaper to do this as well, but I’m an old-school blogger, so I’ll do it here instead.

Open tabs 10/18/11

• Linux Torvalds and others on Community Burnout – Sent to me by one of the members of the Security Burnout Panel, which is going on this week without me at Sector
• Germans condemn police use of spyware – Which they should!  I just hope we do the same when it comes to light here.  And I do mean ‘when’ not ‘if’
• Time zone database has new home after lawsuit - Just in time for Daylight Savings Time to kick in.
• Sesame Street’s YouTube Channel gets hacked badly – Is password guessing hacking badly?  (I hate this use of badly)
• BlueCoat:  US technology surveilling Syrian citizens online – Again, how will we react when this comes to light at home?  Oh, wait it already did, we pretended it didn’t.
• 4chan’s Chris Pool:  Facebook & Google are doing it wrong – Big surprise here!
• Network Security Podcast, Episode 256 – Almost forgot this, since I wasn’t there last week.

Last night I got an email from Jim Engineer at e-Rainmaker PR stating that Kevin Mandia from Mandiant would be appearing before Congress.  I’m always interested in hearing the leaders in our industry speak to members of Congress, because it reveals a lot not only about how the thought processes of the folks who are presenting to Congress, it also reveals what our Congressmen think about security.  This hearing was no different from most, in that it showed there are definite agendas at work,but it also showed that the biggest concern for our Congress is the threat of China to our businesses and intellectual property, in addition to attacks on government properties.  I live tweeted as much of it as possible and I’d like feedback in the form of comments if you found it valuable.  Or even if you didn’t. Any misquotes are my own and are attributable to trying to listen and tweet at the same time.

General Hayden impressed me the most of the three speakers.  His main message was that the issue of cyber-security is a not something we should be in a rush to come up with ‘the answer’ for, but that we should be looking at having long conversations about what needs to be done in a thoughtful, logical manner.  While he encouraged legislation, he made it clear he wants the goal to be outcomes, not just compliance.  He was level headed and clearly understood the difference between security and compliance, something Kevin Mandia also backed up.

I thought Kevin was underutilized in this conversation.  He had some very good, clear thoughts on the subjects at hand, but the members of the committee seemed to give his testimony less credence, since it didn’t directly feed into the narrative they were trying to lead to.  His strongest statement was, “You will be breached, the security compromise is inevitable.” He followed it by stating that “In our last fifty incidents, forty-eight of them learned of the compromise from external third-parties like the FBI”.  That’s a pretty damning statement about the state of detection in our industry today.

And then there was Art Coviello.  I’m not going to dig too deeply into Mr. Coviello, but he was being a good CEO while also being an intellectually dishonest security professional, if you could call him a security professional at all.  Statements like “Our advanced technology allowed us to detect and react to the attack in progress” and “We were within hours of being able to stop the compromise” and other comments about how ‘swiftly’ RSA responded to the compromise go directly against the timelines in the press and against the history of how RSA notified the public and their customers of their compromise.  Remember, they didn’t even have a Chief Security Officer before the compromise, there was no one at the C-level responsible for security.  I was very unimpressed with Mr. Coviello today.

Not much will come from this Committee meeting, but it was educational to learn what message the members of Congress wanted to put out and how businesses are willing to help them.  It was also a lot of fun to live tweet it and see what security professionals around the country think.  Marty Roesch from Sourcefire (@mroesch) was especially cynical and entertaining.  But there were a lot of people who had good feedback and questions, for which I’m thankful.

Feedback on live tweeting is very appreciated, leave comments and expect me to do the same next time I have time and opportunity.  And here’s the press release from Jim.

For your information, MANDIANT
CEO Kevin Mandia will offer testimony to the House Intelligence
Committee at the invitation of Chairman Mike Rogers (R-MI) tomorrow Tuesday, Oct. 4, from 10 a.m. to 1 p.m.
Kevin is available to comment on his testimony should you have an interest in pursuing.

To view the testimony please visit:

http://intelligence.house.gov/hearing/cyber-threats-and-ongoing-efforts-protect-nation#

“Cyber Threats and Ongoing Efforts to Protect the Nation” 10:00am – 1:00pm ET HVC-210

·         The Honorable Michael V. Hayden, Principal, The Chertoff Group
·         Mr. Arthur W. Coviello, Jr., Executive Chairman, RSA
·         Mr. Kevin Mandia, Chairman and Chief Executive Officer, MANDIANT

Chairman Rogers on the Cyber Security Hearing:
“Examining the threat of cyber attacks against the United States is of
utmost importance. The threat of cyber attacks continue to evolve. What
started out as a kid in the basement hacking into a school computer to
change a grade, has evolved into entire nation states focused and
determined to exploit our nation’s cyber systems. The Committee will
review recent developments in the evolution of the cyber threat against
the United States by nation state actors and others. Additionally, we
will evaluate the status of the United States government’s efforts at
providing cyber security within the government, the status of cyber
security in the private sector, and the sharing of government
information, including intelligence information, with the private sector
to enable it to better defend and protect our nation’s most critical
private systems.”

Jim

PS>  I think I only heard the dreaded “APT” once, from Art Coviello.  Figures.

This weekend I saw a post called “What does eight years of blogging get you?“  I realized almost immediately that I’d been blogging for just over 8 years myself and that the author’s experiences mirror my own, though he’s a bit more prolific and encourages comments much more than I do.  In 8 years, I’ve written over 2000 posts, received over 2000 comments and recorded nearly 350 podcasts (including 100 interviews).  While perhaps too many posts have been about me and my travails, I have to say that the decision to start blogging has easily been the single most important and formative event of my career in security.  Nothing I’ve done, whether it’s getting a degree or my CISSP (no snickering!) has had nearly the effect on my career that blogging has.  Podcasting comes close, but is mostly an extension of the blog, and Twitter is a distant third; but my blog will still be around in the years after the security community has moved on to The Next Big Thing and Twitter is a fond memory.

Mitch nails it with his 8 reasons for still blogging.  I get a lot of people (okay, 1-2 a week) asking me for career advice in security and the two things I always tell them is to start blogging and to get involved in the security community on twitter.  Whether you understand it or not yet, you’ll learn that being able to communicate is one of the keystones of a career, even more important than the technical.  Let me say that again:  It’s more important to be able to communicate than to be able to configure or run a technology.  You’re ability to work with a specific technology may be the best in the world, but unless you can communicate with your management why what you do is important, you’ll never progress beyond the level of technologist.  That may be fine for you, but I suspect most people want to move on to bigger and better things at some point in their career.

Blogging is a great venue for exploring big thoughts that can’t be fleshed out in any other way.  I’m a huge fan of Twitter, but there are definitely limitations to how complex an idea you can communicate 140 characters at a time!  Blogging let’s me slow down, formulate my ideas in a coherent manner and lay them out in a logical fashion that I hope are easy to understand, or at least read.  But more importantly, it’s a discipline that has caused me to hone my critical thinking skills and aided me in understanding the thoughts that underlie my own ideas and concepts.  Putting these ideas out there also gives others the opportunity to provide feedback, point out where I’m wrong and sometimes just call me an idiot for my ideas.  Even when being called an idiot, I generally learn something from the process; if nothing else, I’ve learned how to take destructive criticism with a certain amount of aplomb.

I’ve also gotten to meet more great people than I can ever list thanks to blogging.  The security community seems insular when you first get involved, but blogging opens doors and allows you to meet people who were only a name to you at one time.  The first time I knew blogging was a big deal for my career was when I wrote a post criticizing Tenable for charging for the Nessus signatures.  Ron Gula reached out to me shortly after I posted and explained to me in great detail why it was a necessary move and started a friendship that remains today.  Putting yourself out there publicly will reveal you to people who are the actual movers and shakers in the security field and begin conversations that can last years.

For me, the culmination of 8 years of blogging came when I started my current role as a Security Evangelist for Akamai.  I’ve gushed about my job before, and won’t do so again, but I do want to point out that not only was I hired in part because of my blogging experience, and because blogging has allowed me to hone my thinking more than simply being a practitioner would ever allow.  The fact that I’m willing to put myself out there, to engage in dialogue and simply argue with people publicly in ways I hope further the profession were key factors in getting this role.  Think about that before you dismiss the idea of blogging.

I fell a bit guilty sometimes when I look at my own blog.  When I started blogging oh-so-many years ago, I’d blog at least daily, often two to three times a day depending on the time I had and what interesting stories I could find as the day went by.  Also depending on what my workload was, which was fairly light when I started, since monitoring an IDS really isn’t that hard once you’ve got things properly tuned.  The blog was a new toy that I wanted to play with as much as I could and there were a lot of ideas I wanted to explore back then.  But the shine has long since worn off of the toy.

Fast forward to now and I often go a week or more without a new blog post.  Sometimes the only post for the week is a link to the podcast, and some weeks even that doesn’t happen due to travel schedules.  So I’ll look at the site and feel bad because nothing’s been written, try to come up with anything and either walk away because I can’t come up with an idea or write something I don’t publish because, honestly, I sometimes write a pile of steaming crud that I don’t think should be inflicted on anyone.  These have some value, because they clear my mind a little, but you shouldn’t have to read them.

But the biggest problem I have with writing is that some days I feel like I only have one subject to write on, which is, you guessed it, PCI.  It’s an important subject, I have a fair amount of experience in it and I have points that have value and should be shared with the folks who come to the blog.  But it feels like I have been having the same conversation for a few years now, and I know that if I’m boring myself with the talk, I have to be boring others with it as well.  And if there’s one cardinal sin in writing, it would be boring your reader. 

I’m not sure there’s a solution for this problem, or at least not an easy one.  PCI is what I do for a living, I’m immersed in it 40-60 hours a week.  It’s hard to get out of the mindset of compliance.  The PCI requirements haven’t changed significantly in years, despite the fact that 2.0 came out last year.  And it’s not going to be changing again for at least three more years.  It’s not exciting, it’s not sexy and there’s not a lot of news that’s coming out about PCI.  Unless you consider all the breaches that is.

It’s a little depressing to be so one-dimensional, to not have a breadth of subjects to talk about.  And even within PCI there are some subjects and events I can’t write about because either my employer is involved, therefore I’m involved indirectly or because I’m involved directly and would be incredibly stupid to make any comment on the situation at all.  To be fair, no one I work with has editorial rights on my blog or any say in what I write about here, but I have a healthy sense of self-censorship.  I like my employer and am in no hurry to do something that would get me in hot water in a hurry.  I figure this is simply a factor of growing up and taking responsibility, not a constraint laid on me by someone else.

I’m not sure there’s a solution at the moment, but I’m open to suggestions.  I’ve started to branch out a little in my non-work hobbies; I’ve picked up a bunch of Arduino stuff and I’m working with the kids to learn more about electronics and to brush off some long neglected programming skills.  I’m also starting to talk to other security professionals I respect about long term career goals.  I often wonder how I got where I am in my career and rather than continuing to trust in the luck that got me here, I’m starting to lay some of the groundwork that will be needed to take me to the next level.  You’d be surprised how much good advice you can get if you just take the time to ask for it.  But neither of these is really at a point where I can write about it and I’m not sure this blog is the place to talk about Arduino in any case.  Career advice, yes, at least once I’ve digested enough of the wisdom folks I’ve been talking to.  Which could be a while, since this is something that I’m a little slow in assimilating.

I’m sure I’m not the only one who’s run into this issue.  I know from the comments I receive from time to time that I’m not the only one who thinks the blog has become one dimensional.  I think the proper term is ‘stuck in a rut’.  How have you broken out of your own rut in the past?  How have you broadened your skill set or interests so that you’re not a one trick pony?  Am I fretting over something that’s a non-issue and should stop whining and go back to writing about PCI and be happy I have something I’m, well, if not an expert, at least experience in?  I’m curious how others feel about running into the same problem and would like to hear from you.

Thanks.

One of the main reasons I started blogging way back when was because I had ideas I wanted to express and an excess of time to think about them.  Boy, those were the days, when it wasn’t uncommon to have two or three breaks during the day when I could not only read some of the interesting articles and make a comment or two.  I could whip out a post in 15 minutes or less because I’d done most of the planning for the writing in some other down time I’d had earlier in the day.  I wish I’d been able to save some of that down time, because I could use it now.  Oh, yes I could.

We all have those days where the currents of your work load all gang up to overwhelm you at once.  That’s pretty much been the whole year so far for me.  Add on to that a regular podcast, gearing up for interviews at RSA, preparing a talk with Mike Dahn on PCI and Cloud Computing, plus preparing for travel the week after RSA.  And then there’s another project that’s just ramping up.  I have high hopes for this one, but I’ll have to keep quiet on it for a little while.  And speaking at Source Boston in April.

One of the reasons I haven’t been writing much on the blog lately is that I’ve gotten so up close and personal with PCI the last few months that it’s hard to pull back a little and look at bigger picture issues.  I never intended for this blog to be a PCI specific site and I still don’t.  So I resist writing on the stuff I deal with daily, which limits what I have the time and energy to write about.  I have plenty of writing coming up for Verizon Business concerning PCI, but I expect that to surface mainly on the Verizon Business Security Blog. 

I’m not going to shut down this blog any time soon, it’ll still be here, but the reality of life is I need to concentrate more on my day job than the things I’ve been doing for years on the side.  I’ll still write here when I have a spare moment and an idle thought, but I’m no longer going to pressure myself to feel I need to update daily (how long has that been?), weekly or even monthly.  Podcast notes will show up weekly (or so), I’ll still mouth off from time to time.  But I have to make this a lower priority, at least for the time being.

Hopefully I can re-examine the blog once RSA is over.  There’s been a lot of talk lately that blogging in the security community has fallen by the wayside and I definitely feel some of the effects as well.  I think it’s part of growing up and having to spend more time making things happen and less time talking about it.  At least that’s what I’d like to believe.  In the mean time, this can be my annual “RSA is a lot of work, I’m burnt out, it’s fun, but I can’t wait for it to be over’ blog post.

I am so behind on my blogging it’s not funny.  I was supposed to say something about the 2011 Social Security Awards a couple of weeks ago, but between running around the country and writing long, boring reports on PCI compliance, something had to fall off the to-do list, and blogging was it.  Which is why it’s a little ironic to break the silence with a post honoring some of the best writers in our business.  After which I’ll probably be going back to radio silence as I try to create a small bubble of calm in my work schedule that will allow me to attend the RSA Conference with minimal interference.  Or at least that’s the theory.

This is the third annual Social Security Blogger Awards, and once again the committee putting it together, led by the incomparable Alan Shimel, has worked hard to improve both the process for deciding the categories and the process for voting.  There were a number of categorizations in last year’s awards that had many of us laughing and shaking our heads in confusion, but by that time it was too late to make changes.  So this year Alan and his team of judges, who are all professional writers who cover the security field, revamped the categories and I think everyone involved will agree that they’ve done a great job of it.  The judges picked the cream of the the blogs and podcasts from all the great people we have writing, now it’s up to you to decide who the real winners are.

As always, I look forward to the night of the Security Bloggers Meetup at RSA.  This year, my influence on the whole process has been minimal, and as always, Jennifer Leggio has been shouldering far more than her fair share of the work.  Not to say I haven’t done anything… well, actually, I haven’t.  We’ve been doing this for a number of years now and it’s clear that Jennifer has a handle on everything and if I try to get further involved I’ll slow things down more than help.  Which goes back to my original point that I’m already too busy with the day job to help much.  But the SBM has become the central event of the RSA Conference, at least for me, and the pivot that all my other plans revolve around for the week.  The few hours we take out of an evening to connect and reconnect with the people in our community who distinguish themselves by trying to express the problems and solutions for our industry is worth more than almost anything else that goes on at RSA, at least for me.  People who are passionate about what we do are always exciting to be around.

Who are your favorites for this year’s Social Security Awards?  I especially like the new category “The single best security blog post of the year”.  Not everyone can write regularly, in fact some people may only put out one or two blog posts a month.  But the thought and quality of writing that goes into those infrequent posts is exceptional and deserves to be recognized.  And the folks who continue to put out exceptional content day after day just blow my mind. 

Go now, vote on the Social Security Awards.  Vote for your favorite, vote for the person you think is most deserving or vote in an utterly random fashion, as long as you vote.  While the awards are for bloggers and by bloggers, the reason we write is for the readers and listeners in the real world.  And this is your chance to help recognize the people you think have had the most impact and influence on our community.  Or at least amused you the most.

It felt good.  I took the last two weeks of 2011 and took a hiatus from Twitter, I tried to stop reading security stories and I generally just stayed away from my home office and computer whenever I didn’t absolutely need to be working.  I still used the iPad and I couldn’t leave my phones behind, but it really felt good to deprioritize social media and email in favor of spending time with my family over the holidays.  And it felt good to just put a little distance between myself and all the stressors on the Internet and in my inbox. 

I don’t do year end reviews and I don’t do predictions; it’s not that I’m against them, it’s that I feel there are a lot of other people out there who have a better 10K foot view than I do.  Plus I hate looking back the next year and seeing how wrong I was about where everything was going.  That being said, I get the feeling that 2011 will be a year of change; too many people are complaining too loudly about being burnt out.  Too many people are saying ‘what we’re doing isn’t working’.  There were too many high profile incidents for people to ignore and keep on doing what they’ve been doing.  Or at least that’s my hope.

Alex Hutton sent out a tweet about a concept called ‘slow hunches‘ not to long ago.  The basic idea is that we all have portions of great ideas floating around in our heads, it’s when these ideas bump against other ideas and let them mature over time that the real game changers start to develop.  That’s a gross simplification of an entire book, but I hope it get’s the message across.  I know I have a number of these partially formed ideas in the back of my head and I know from experience that a number of other people across the industry have similar ideas floating around.  What I don’t know is how we get those ideas together in order to affect change.  Because doing the same ol’, same ol’ isn’t working.

Maybe I’m just optimistic and nothing will change.  But like the idea of slow hunches, there are so many incidents both big and small, happening right now that something has to give.  Rich (Mogull) is often telling me that as long as we can continue to do business within an acceptable level of fraud, nothing is going to change.  And he may be right.  But I hope he’s just more of a pessimist than I am.  And in the bigger picture, I’m sure he is right, since the more things change, the more they stay the same.  But I can still hope that someone amongst our community will come up with a seminal idea this year that will change the way we look at security.  Other than “let’s concentrate on the basics” that is.