Network Security Blog

I’ve attended my fair share of conventions, but this is a first: CTST 2008 is offering up a free night’s stay if you’ll attend their conference. Their event is next week and I’m pretty sure the offer isn’t transferable, but I find it very interesting that they feel like they need attendees badly enough that they’re willing to make this offer at all. Add this to the fact that my name showed up on the list of last year’s attendees and I think we have a convention that’s truly suffering and may not make the 2009 season.

I receive a lot of phone calls from vendors, but in general only from vendors who have access to the lists of events I’ve actually attended. This year I’m showing up on the list of people who attended CTST, despite the fact that I’ve never attended and have never been to Florida, where the event is held. It makes me wonder how much of the list of attendees is based on people who actually attended last year or if it’s based on the people who were invited. I may be a statistical outrider, but from what I know of the convention biz, I also won’t be surprised if I find out I’m not the only one.

CTST looks like a convention I’d be interested in; it’s all about payment cards and the ways in which different credit and debit cards can be secured. It’s a natural fit for just about anyone in the PCI arena. But right now I don’t have the time to attend, nor the energy to fly cross country even if I did. But listing me as an attendee for something I never showed up at is annoying, and if it happens again this year, I’m going to be more than annoyed; I might have to blog about it in an snarky, sarcastic manner.

I’m on a large number of mailing lists. Before there were blogs, mailing lists were one of the primary ways I received my security-related news and got questions answered. I participated in a fair number of forums too, but preferred mailing lists because the news would come to me rather than needing to go back to a site to see if anyone had responded to me. I still find my forum posts listed in Google from time to time when I do an ego search (I know I’m not the only one who types their own name into Google from time to time just to see what comes up).

One of the things that I find again and again on mailing lists is the one or two line post to a list asking such a general question that almost any answer you give will apply. You know, the sort of thing like “What should I do next in my security career?” or “What’s the next big thing in security?”. Questions that are so vague and pointless that they either get ignored on the list or get answers that have nothing to do with what the person posing the question really wanted to know. This leads to on list arguments about stupid answers or general comments on how useless and clogged up the mailing list is. The more traffic a mailing list sees, the more likely this is to happen. A prime example of this is the CISSP mailing list, which often degenerates into discussions of poutine and the relative merits of Tim Hortons vs Dunkin’ Donuts. It’s a closed list, so I hope I’m not putting my ethical standing as a CISSP at risk by revealing how immature a group of security professionals can be from time to time.

I don’t think it’s bad for a list to get silly or flame up once in a while, but I do think the value of the discussion is directly related to the questions posed on the list. The energy someone puts into explaining the question they’re asking, the time they take to pose it in the clearest possible way is directly linked to the clarity and energy someone will put into answer. If your question is about the next step in your career, take a couple of paragraphs to explain how you got where you are and what it is you want to do next. If you want to know what the next hot technology is, explain what your industry is and what you mind find useful. In addition to giving the other members of the list a specific topic to respond to, it might help you understand your own question better. I’ve always been amazed at how much taking the time to write our my thoughts clarifies my own understanding of a topic.

I like mailing lists as a way to get information and see how a group or industry is thinking. But the worth of a list is directly influenced by the amount of energy people are willing to put into it. When people take the time to formulate the real question they’re asking rather than throwing a general inquiry, the signal to noise ratio of the answers comes way up. Most of the responses on any mailing list come from a small minority of the members, so taking the time to understand who those people are and how they think will directly influence the response.

I’m not writing this in response to a single person or incident on a particular list; vague questions seem to be endemic to mailing lists everywhere, and I know my rant won’t do much to change that. But now I have someplace I can point people to next time they ask a question like “How do I improve the security of my enterprise?”. If you take the time to formulate the question and really specify what it is you hope to get out of the answer, you might be surprised at the quality of the answers you get in response.

You’ll be able to watch the Security Bloggers Meetup live from RSA over on Ustream at 6:00 sharp.

Day One of RSA has come and gone, and with it the first wave of vendor presentations and parties. This was just a warm up for things to come, but it was a day well spent. I stayed out much later than I should have, though I wasn’t drinking much and won’t be paying for it today.

Michael Santarcangelo organized a small event with the folks at Symantec to provide feedback for them on several product lines they’re working on. For the most part they seemed honestly interested in hearing what we had to say, though that varied from person to person. And it’s a good thing, because the group around the table had a lot to say, with me near the front of the pack in being vocal.

For the next version of Norton, speed is the only thing they’re concentrating on. How long does it take to install, how much does it add to boot up, how long does it take to uninstall? There are all questions Symantec is asking themselves, because the hit to performance AV causes has apparently been one of the biggest complaints they’ve received from their customers. There’s a bit of concern that by concentrating on speed rather than new features customers won’t see a need to purchase Norton, which may be true, but I think corporate customers will be drawn by an AV product that interferes with their users as little as possible.

The product that definitely caused the most discussion is a family protection suite, tentatively called “Family Safety” that hasn’t even beta yet. What I found interesting in this product wasn’t the technology itself, but rather the philosophy that went into it’s design. Rather than just blocking kids and alerting Mom and Dad, it’s designed to tell kids exactly why they’re being blocked and make sure they know what rules they’ve broken. It’s adjustable to accommodate the kids as they grow older, it has different profiles for each kid and reporting capabilities for parents.

The one word that kept coming up again and again was ‘conversation’; Symantec views blocking and monitoring as a parenting function, not a function of technology. They’re trying to create software that makes sure everyone involved knows what’s being blocked and why, and facilitate the conversation between the adults and children. Rather than being a dictatorship making arbitrary rulings, Symantec is trying to explain why certain sites are blocked and how they fit into the house rules. There’s a lot that still needs to be hammered out in this model and it takes more interaction from parents, but I believe they’ve got a very good start on a program that helps parents and their children communicate rather than just blocking web sites and leaving it at that. I’m looking forward to the beta of this project.

The final session was on Vontu, and I have to say this was my least favorite session. As I stated yesterday I view Data Loss (or Leak) Prevention as a need that has to be pushed and managed from the business side of the house, not the security side. Kevin Rowney, the founder of Vontu, tried hard to express DLP as a risk based security issue, but I’m still not convinced that the security arena has matured to the point this is a valid argument. Most corporate security people aren’t to the point where they can successfully argue for technologies from a risk standpoint and most business people aren’t ready to listen to security practitioners provide input on business decisions. The only way I can see any DLP product being sold into a business is if the impetus comes from the top levels of the company and entrusted to security, as opposed to being a initiative sponsored by IT and security. There is definitely a security aspect to DLP, but we’re years away from the the sort of risk based approach needed to push DLP in the enterprise from the security department. And DLP isn’t cheap, placing it out of reach of all but the biggest companies, like the Fortune 1000.

The showroom floor opened with a bang last night and the reception made it very sure that most of the security folks would be scarfing on the free food where they could be approached by vendors rather than spending their per diem in the restaurants around the Moscone center. Every year there seems to be more vendors. A quick walk through last night with George Starcher, the former host of the In the Trenches podcast, didn’t reveal any big surprises, other than a fair number of companies I haven’t seen or heard of before. The next couple of days will reveal a lot about who’s there and what the big new technologies are, as well as getting me roped in to any number of vendor presentations. Should be interesting if not necessarily fun.

According to Inforworld, over 10,000 web pages (That’s pages, not sites) are infected with malicious Javascript (edited: was Java) code aimed at installing password capturing software on as many machines as possible. But their target isn’t your bank account, it’s your online gaming credentials. If you weren’t already aware that most online gaming communities have a real world economy based on buying in-game goods, here’s your proof. I know from the spams I get in City of Heroes that there are a lot of sites that will offer to give you every in-game toy you’d ever want. All you have to do is give them your password and they’ll hook up your account. Umm, no thanks.

I’ve been a member of the Security Catalyst Community from the beginning and a friend of it’s founder, Micheal Santarcangelo, for a couple of years now. It’s true I only rarely post to the forums and I’ve only met Michael face to face once, but it still counts. By being involved in the community I’ve been able to get involved with some very interesting projects and meet a large variety of security professionals from around the nation. Whether your just getting involved in security or your a seasoned professional, the Security Catalyst Community represents a great place to ask questions, bounce ideas of the wall and just get an idea of what other like-minded professionals are thinking about in the world of security. Take a moment to sign up and poke around, but be aware that real names are required and the forums are moderated to keep the conversations on track.

Here are a few of the more interesting recent topics:

• Where is the line? If you are looking at a site and they put the user name and password in the scripts, is it hacking to enter the site and then tell the site owners about the problem?
• How has the SCC benefited you? Pretty relevant to this posting I’d say.
• New Security-oriented instructional video website. Andrew Hay brought up a new series of videos. I’ve had mixed results with using videos for training, but I still view it as another tool in my arsenal.
• BayouSec II - My friend Michael Farnum is helping organize a security meetup in Houston tomorrow night. If you’re in the area, you’ll want to take an hour or two to attend the event and meet some of the other professionals in your area.
• Andy in the real world - AndyITGuy has an interesting story of normal people (as opposed to security geeks) becoming aware of some of the courtesies of email.

There’s a good chance that there will be a breakfast meeting of the Security Catalysts Community one morning at RSA this year. If we can manage to get out of bed early enough to still be able to make it to presentations. And if we’re not too hung over from the parties the night before. Join the community and join us for breakfast.

I’m going somewhere I’ve never been before this week, specifically Montreal.  I’ll be there tonight through Friday morning, spending most of my time working with a client.  However, I won’t be working at night, so if there are any security professionals in the Montreal area who want to meet up for a drink and to shoot the breeze, drop me an email or give me a call on my cell.  My contact information is in the ‘About’ page, but I’m not going to reprint them here, just to avoid one more place for scrappers to find the information.

I am looking for some ideas of things to do while I’m in Montreal, so suggestions will be appreciated.  I’m finally get to find out what the big deal is about Tim Horton’s coffee and potene (spelling?), two topics that come up often on the CISSP mailing list.  I feel confident that I can make a objective judgment about which is better, Tim Hortons or Starbucks. 

Now that the total of cables cut or disabled in the Middle East has risen to five, there’s even more conspiracy theories coming out of the woodwork.  And it’s no wonder; if 50 of these happen a year worldwide, to have five happen within a week in a geographically limited area is a statistical anomaly to say the least.  I’m betting that this is just a what it appears to be on the surface, a series of unrelated failures that just happened in a short period of time.  But it is fun to speculate and try assigning human interference to the problem rather than natural events.

If this is a conspiracy, then the target isn’t the cables that have been cut.  Think about it, what conspiracy would do something as direct and overt as cutting these cables?  No, the real target would be re-routing the traffic over cables and networks the conspirators already controlled before any of this started.  Or they’re trying to distract all the conspiracy buffs from something even bigger happening elsewhere.  Whatever they’re doing, the loss of these cables and the disruption to Internet traffic in the Middle East and India is a side effect, not the real target.

Conspiracy theory is attractive because it pulls in so many threads of truth and weaves them together in a believable story.  It’s the sort of speculation and half understood facts that fuel the Internet and the Blogosphere to begin with, so events like this are going to bring out anyone and everyone with an ax to grind with a government agency or secret society.  Even if, or maybe especially if,  the official reports say that these were all natural occurrences, conspiracy theories are going to continue.  After all, every once and a while a real conspiracy proves to exist.

If you think the Internet’s abuzz now, just wait until cable #6 goes.

I don’t know about you, but I’m a little concerned that there have been three separate underwater cables in the Middle East and India.  Once is bad luck, twice is a coincidence, but three times makes me wonder if it’s not more than just coincidence.  If a fourth cable gets cut in the next couple of weeks, I’m really going to start thinking about a conspiracy.

The local news was making a big deal of this incident, not because of the outage itself, but due to the fact that it was affecting the customer service of all the companies that have centers in India.  I won’t be at all surprised if this incident causes a number of the tech support jobs that have gone to India in the last five years to be pulled back to the US.  I suspect that there are a number of companies that are waiting for an excuse like this to return their support centers back home, especially with the way stay-at-home call center services are picking up.  Maybe I can convince my wife to take one of these jobs now that the kids are in school most of the day.

Here’s a few stories that caught my attention in the last 48 hours. 

• Hackers cut cities’ power - So much for the invulnerability of the SCADA systems.  If it can happen in other countries, it can happen in the US.  There might be a bit more effort involved, but it can happen.  Chris was nice enough not to include a direct “I told you so”, but he’s obviously pleased to be proven right.  Why did I ever think our SCADA network would be any more secure than the rest of the Internet?
• Dangers of remote Javascript - O’reilly learns that even if your own site is perfectly legitimate, if you rely on the code of others it can cause problems.  An advertiser let their domain name lapse and a porn company picked the domain to redirect traffic to their own sites.  Not a terribly sophisticated hack, but effective.
• Cyber unit pivotal in solving crime online and off - I haven’t listened to this yet, but it’s the first of a four part series on cybercrime.  This could be another tool to use in your own companies awareness plan.  NPR usually does a pretty good job of passing along information without dumbing it down too much.