Network Security Blog

It felt good.  I took the last two weeks of 2011 and took a hiatus from Twitter, I tried to stop reading security stories and I generally just stayed away from my home office and computer whenever I didn’t absolutely need to be working.  I still used the iPad and I couldn’t leave my phones behind, but it really felt good to deprioritize social media and email in favor of spending time with my family over the holidays.  And it felt good to just put a little distance between myself and all the stressors on the Internet and in my inbox. 

I don’t do year end reviews and I don’t do predictions; it’s not that I’m against them, it’s that I feel there are a lot of other people out there who have a better 10K foot view than I do.  Plus I hate looking back the next year and seeing how wrong I was about where everything was going.  That being said, I get the feeling that 2011 will be a year of change; too many people are complaining too loudly about being burnt out.  Too many people are saying ‘what we’re doing isn’t working’.  There were too many high profile incidents for people to ignore and keep on doing what they’ve been doing.  Or at least that’s my hope.

Alex Hutton sent out a tweet about a concept called ‘slow hunches‘ not to long ago.  The basic idea is that we all have portions of great ideas floating around in our heads, it’s when these ideas bump against other ideas and let them mature over time that the real game changers start to develop.  That’s a gross simplification of an entire book, but I hope it get’s the message across.  I know I have a number of these partially formed ideas in the back of my head and I know from experience that a number of other people across the industry have similar ideas floating around.  What I don’t know is how we get those ideas together in order to affect change.  Because doing the same ol’, same ol’ isn’t working.

Maybe I’m just optimistic and nothing will change.  But like the idea of slow hunches, there are so many incidents both big and small, happening right now that something has to give.  Rich (Mogull) is often telling me that as long as we can continue to do business within an acceptable level of fraud, nothing is going to change.  And he may be right.  But I hope he’s just more of a pessimist than I am.  And in the bigger picture, I’m sure he is right, since the more things change, the more they stay the same.  But I can still hope that someone amongst our community will come up with a seminal idea this year that will change the way we look at security.  Other than “let’s concentrate on the basics” that is.

I receive 4-5 press releases about security products a day on average and many, many more just before a major event like RSA or Black Hat.  One of the advantages of being a blogger of long standing and a little renown is that PR agencies send me these press releases in the hopes that I’ll write about them, which is natural since it’s their job.  The vast majority of these press releases I scan through for information relevant to my interests then file them in a folder marked “Promotional”.  I hate to admit it, but close to 95% of the of the press releases I receive never make it beyond this point.  And given the sparsity of my writing the last few months, it’s probably more honest to say that 99% of the press releases I receive never get much attention.

I know all too many professional writers take the press releases they’re given, pull a couple of interesting facts from it and write a story.  A few of them don’t even necessarily do that much, they simply write a line or two about the press release and post the whole thing.  I’m not sure if that’s an acceptable tactic in publishing circles, but it seems to work for a lot of the professional blogs I read.

Rather than just let the press releases go to waste, I’m going to start posting some of the press releases that are not interesting enough to result in a full blog post but that are still interesting to the security community.  I figure this helps the PR folks a little in getting their message out and may give you a little piece of information you need.  And I’ll occasionally make fun of all the companies that call themselves “market leaders” or “leading organizations”.  I guess it’s technically true, in the same way that I’m the most popular security blogger who’s 6’4″, of a certain weight, with a wife and two kids, living in Northern California.  Define your market narrowly enough and anyone can be a leader.

The first press release for you is from CellCrypt.  They’ve been granted FIPS 140-2 certification for mobile phone applications.  It’s interesting, it’s important to some people, but it’s not close enough to my main areas of expertise to warrant a blog post.  Maybe you can do something with it.

Continue Reading »

Can you hear that? That’s the sound of air escaping as we all finally recover from the RSA conference. Rich and Martin are back, and Zach… never left (but did celebrate a birthday last week). We do a quick recap of RSA and then dig into the security news… much of which had nothing to do with the conference. Weird.

Network Security Podcast, Episode 188, March 9, 2010
Time:  32:01

Show Notes:

• Great coverage of Martin’s RSA panel on disclosure. One of the first with an actual user on the panel.
• Government declassifies parts of the Comprehensive National Cybersecurity Initiative.
• Police get webcam pictures in school spy cases.
• Experts dismiss end to end encryption claims. Bunch of gross generalizations.
• Oops- Vodaphone distributes infected phone.
• … and Energizer distributes malware in USB battery software.
• Tonight’s music: 

I read somewhere that starting a new job is one of the top three stressors you can have in your life.  Death obviously tops the list with divorce and moving in the top five as well.  My own experience tends to back up this theory and I’ve had my fair share of stress from changing jobs the last few years.  As many readers know, I left a position at Trustwave last year and started with Verizon Business.  I’ve had enough experience with changing jobs that when I started noticing some of the signs of stress, I decided to do something I had never done before:  I took an unannounced blog sabbatical; I realized I hadn’t written anything other than show notes in several weeks and decided to extend it.

Blogging takes a fair amount of mental energy, even the short posts I tend to write.  Learning the way a new business works and how the processes flow also takes a lot of the same human CPU cycles.  In the past, I’ve tried to keep blogging and adjust to a new position at the same time.  It hasn’t always worked out so well, so this time I put my emphasis on the day job and let the blog languish.  At first it was just going to be a couple of weeks, but at some point I decided that the sabbatical would be over on February 1, 2010.  Arbitrary deadlines are great, you can move them around as much as you like.  And some times you can even meet them.

I’ve been continuing the podcast with Rich and Zach, though that’s taken a bit of a hit with our travel schedules as well.  We’re working on getting a regular schedule back in place, though that may end up being a lost cause until after the RSA Conference this year.  We’re all so busy preparing for the event and traveling that finding a time even two of us can get together to record is sometimes difficult.  This week was no exception, but I’m sure we’ll find a way to manage it.  The good news is that we have real possibilities of face to face time amongst us this year.

I plan on blogging less than I have in the past, but the trade off is that I hope to be able to produce longer posts with more of my own thoughts in them, rather than just pointing to something someone else has said.  I also write over at the RSA blog once in a while and may be putting out articles through one or two other venues.  Have no fear that you’ll miss anything I write, I’ll tweet and  otherwise self-promote when I do.  I’m looking forward to the third annual Security Groundhog Day panel this year as well as moderating a panel called Responsible Disclosure: It’s Their Fault! at the 2010 RSA Conference.  Come support me at the talks, they’ll both be entertaining if not enlightening.  And let’s not forget the Security Bloggers Meetup Wednesday night, March 3rd.  Alan Shimel has just posted the finalists for the 2010 Social Security Awards, so head over their to take a look at the list.

This is going to be a busy year.  Between work, two kids that are getting to a socially active age and a host of events like RSAC, BH/DC, Security BSides and FIRST coming up there’s not a lot of time to spare to blog about something someone else said, unless I’ve actually got something to add to the conversation.  I’ll save what time I can devote to blogging to contributing something new rather than just being part of an echo chamber.  Life’s too short to spend on writing fluff.

I’m still around.  I’m still blogging, podcasting, attending events and being part of the security social media scene.  But sometimes I’m shutting all that down for a couple of days or even a couple weeks at a time to deal with family, work and life in general.  Time to get everything a little more in balance for a change, something I’m not really very good at.

Back from the FIRST Conference in Kyoto, Japan with a dozen interviews and over 1500 pictures.  To be fair, my wife took a lot of the pictures.  I haven’t had time to blog or while I was at FIRST, but you can get a very good idea of what was going on by checking out Chris Riley’s blog.  He took awesome notes, something I’m only moderately successful at under the best of circumstances.  I’ll be uploading the interviews over the next few weeks and have several follow up interviews to do with people who didn’t have the time necessary during the conference.  But all of that has to wait until I’ve dug myself out from the pile of email that accumulated while I was on the road.  In the mean time, check out some of the photos I’ve uploaded to Flickr so far.

There have been a lot of stories this week I wish I had the time to write about, but given the choice between blogging or getting ready for traveling to Kyoto, Japan to speak at and podcast from the FIRST conference, preparation has been winning out.  My wife is going with me and she’s been shouldering a lot of the mundane, pedestrian tasks, but I don’t think she can write up reports for me or get ready to make presentations in my place.  Of course, if I could teach how to do those things for me I would have a lot more free time; which I’d probably fill up immediately with more blogging or maybe tweeting.  Spending more time on Twitter is exactly what I need (that’s sarcasm, for anyone who doesn’t follow me on Twitter).  As silly as it may sound, I’m also starting preparations for Black Hat and Defcon, even though their nearly six weeks away.  By the way, it was revealed late yesterday afternoon that Adam Savage from the Myth Busters will be speaking at Defcon 17!  My kids may force me to take them to Las Vegas just so they can see him.

First off, I have a cluster of stories on PCI.  MasterCard stunned a lot of us this week by changing the requirements for Level 2 merchant, making it mandatory for them to have an annual audit by a Qualified Security Assessor (QSA) by December 31, 2010.  I still haven’t talked to anyone who had an idea this was coming, other than in very general terms, so it’ll be interesting to see how this will this plays out over the next couple of months.  I need to catch up with Avivah Litan some time and find out where Gartner’s negative view of QSA’s come from.  Three more PCI stories that are related are “Weak Security enables credit card hacks” from AP, “Security issues weigh most heavily with acquirers, research says” at Digital Transactions and “Best practices for protecting banking sites” at BankersOnline.com.  It’s good to have a story with some solutions, or at least ideas, to go with some posts about all the security problems we’re facing. 

Next up is a couple of stories about some of my co-workers.  The guys over at Spider Labs got called in to look at some malware that was found on ATM machines in Europe.  With the right ATM card and a few keystrokes, bad guys could have the ATM machines spit out reciepts with card numbers, PINs, expiration dates and nearly everything else that’s on the Track 2 data.  Then the software can quitely erase itself so minimal evidence is left behind.  The You Shot the Sheriff conference is going on this weekend in Sao Paulo, Brazil and a pair of the guys from Spider Labs will be presenting on Rich Internet Applications and the risks they pose.  Potential disaster because of Silverlight and Adobe AIR?  Not possible (again with the sarcasm).

Finally, I have four unrelated stories:  First of all Jeremiah Grossman is asking the Feds to make it legal to hack .Gov and .Mil sites.  We know these sites are mostly insecure, we know hackers are already attacking them, so why not set some rules of engagement and let white hat and grey hat hackers attack them as well, provided they report the findings back to the site owners?  The idea has some merit, but I’m still on the fence for this one.  Speaking of government web sites, the Department of Homeland Security now has a blog.  Now if Secretary Napolitano would just stop by the Bay Area for a short chat like her predicessor did, I’d be very happy.  Of course, it may be that asking lighting to strike twice is unreasonable of me, but I can dream.  Dave Shackleford has a post about an interesting book, “Adventures of an IT Leader“.  I don’t have time to get a copy from Amazon for the flight to Japan, but it sounds like interesting reading. 

The last story is “the evolution of a blogger’s ego” by Jason Alba.  Any blogger who says they don’t have a fair amount of ego tied to their writing is lying, either to themselves or to you.  It’s not a bad thing to be proud of your writing, but some of the yardsticks bloggers have been using to measure their success have been superceded by new measurements.  Comments on your blog used to be what’s important, now it’s how many tweets, retweets, friendfeed comments, etc. which are important.  The conversation’s getting more and more fragmented between bloggers and their audience, but it’s also getting more interactive daily. 

I’ve got another PCI related post to write this weekend, so that’s it for now.

That’s right, the video recorded at the 2009 Security Bloggers Meetup is available for your viewing pleasure.  You can watch Alan Shimel present the Social Security Awards, with a little help from Rich and myself.  This was the highlight of the night and the culmination of a lot of work by the people who put the event together.  I got to put Alan in his place (literally) several times during the ceremony and Mike Rothman was as close to speechless as he’s ever likely to be.

Bill Pennington did an excellent job of taking pictures at the Security Bloggers Meetup last night.  You can view them on Flickr or on Facebook.  And just in case you can’t recognize the people in the pictures at a glance, they’ll be tagged with right names over the next day or two.  Gee, I’m surprised most of the pictures of me include a mic in my hand.  Go figure.

This is me letting go a huge sigh of relief.  The Security Bloggers Meetup is the one event I look forward to more than any other at RSA and at least as much as any event at the security conferences I attend.  But it’s a huge amount of work, a lot of stress and when it’s all done, there’s a huge burden lifted from my shoulders.  Which is why one of my first thoughts after the party was over is to begin the planning for the RSAC 2010 Security Bloggers Meetup.

The Meetup went almost flawlessly, with the exception of the streaming video of the Social Security Awards; for various reasons I was unable to log into uStream or reset my password, therefore the video had to be scrapped at the last minute.  However, we were able to catch all of the event on high quality video and will be putting the Social Security Awards and over a dozen other video interviews up on YouTube over the next few weeks. 

I don’t know what the official count on attendees was, but we had nearly four times the space this year that we had last year and we were still fairly crowded together.  There was enough room for people to separate a little for private conversations, but not much more. Most importantly though was the fact that everyone I’ve talked to so far who went had a great time at the event.

A huge congratulations to the winners of the Social Security Awards last night!  PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman from Security Incite won the Most Entertaining blog.  Now we just need to get Mr. Rothman to start posting again.

A big thanks to my fellow committee members who made last night possible.  Rich Mogul, Sonya Caprio, Alan Shimel and Jeanne Friedman all put in a lot of hours making this happen.  But the woman who deserves the lion’s share of the credit is  Jennifer Leggio.  Without Jennifer, the Security Bloggers Meetup wouldn’t have happened!  So if you see Jen somewhere at RSA or encounter her elsewhere, give her a big thank you for putting on the Security Bloggers Meetup. 

Sometimes things just don’t go as you planned.  Sometimes nothing goes as you planned.  And sometimes the stuff hits the fan.  Over the last few days, stuff that has been hitting the fan is the sanity of the people who’re putting on the Security Bloggers Meetup and the Social Security Awards.  We’ve had the best of intentions and done the best we can to create both an enjoyable event and a mechanism to recognize some of the leaders in our community, but we’ve made some mistakes.  Hopefully the event will still be a lot of fun, but we’re having to make some changes to how the Social Security Awards are operating in response to the errors we made and the way it’s affected the outcome of the awards.  For a fuller update on the story, read Rich’s post on the RSA Conference Blog “Reboot:  Fixing the mistakes we made with the Social Security Awards“

We’re being as open and honest about the process as we can in the hopes that you’ll give us feedback and ideas for doing this better next year.  We also hope that the issues we’re experiencing with the SSA’s won’t turn anyone off from coming to the Meetup.  The Awards ceremony will only be a small part of the whole event and our goal is still to have fun and give everyone involved in social media from the security sphere a chance to meet and put a face to the voices and written word.  If this incident is something that makes you change your mind about coming, please send me an email and let me know why.  Again we’re doing our best to make this right and prevent it from happening again.