Network Security Blog

We’ve been hearing about the Aurora attacks on Google and a host of other companies since early January.  So why is it that NSS Labs is finding that the majority of the End Point Protection (aka AV) companies aren’t protecting against the vulnerability yet?  And why is AVG upset with NSS Labs and their testing methods? To answer these questions and many more, Rich and Martin were joined tonight by Vikram Phatak, the CTO of NSS Labs.  Vik gave us some of the back story on why they were testing AV products and some of the surprising discoveries they made.  It’s not easy being an independent testing company and sometimes you’re going to annoy people despite your best efforts.  And sometimes people are going to be annoyed with you no matter what.

One point Vik wanted to make that didn’t make it into the podcast is that the 0day that was used in the Aurora attack is not just being used against corporate targets.  It’s being used against consumers as well, so it’s important that the average home user be aware that their AV product may not be protecting them at this point.  What is part of the podcast is a discussion of how many AV vendors are trying to protect against the payload that malware is attempting to deliver, not the exploit itself.  Both are important points people need to be aware of.

Network Security Podcast, Episode 189, March 16, 2010
Time:  39:56

Show Notes:

• Vulnerability-based protection and the Google “Operation Aurora” attack
• NSS Labs’ Questionable Report – Note that the screen shot shown is of the Firefox browser, not IE in any form
• AVG & The Aurora Exploit
• Questionable Questions (and some answers)
• 7th Annual ISSA Security Conference
• Please take our short listener survey to help us create a better podcast!

We’re trying to get some background information about who our listeners are, where they sit in their security careers and what we can do to improve the Network Security Podcast.  We’d really appreciate it if you can take 5 minutes or less to fill out the survey and tell us how we can serve your needs better.  This is the first time we’ve done this, so the questions may not be the best phrased, but hopefully you’ll get the idea.  You can probably guess some of the reasons we’d be interested in this information.

Click here to take the Network Security Podcast survey

Can you hear that? That’s the sound of air escaping as we all finally recover from the RSA conference. Rich and Martin are back, and Zach… never left (but did celebrate a birthday last week). We do a quick recap of RSA and then dig into the security news… much of which had nothing to do with the conference. Weird.

Network Security Podcast, Episode 188, March 9, 2010
Time:  32:01

Show Notes:

• Great coverage of Martin’s RSA panel on disclosure. One of the first with an actual user on the panel.
• Government declassifies parts of the Comprehensive National Cybersecurity Initiative.
• Police get webcam pictures in school spy cases.
• Experts dismiss end to end encryption claims. Bunch of gross generalizations.
• Oops- Vodaphone distributes infected phone.
• … and Energizer distributes malware in USB battery software.
• Tonight’s music: 

Snort was one of the first security tools I ever used.  When I was working in a small computer lab years ago, I set up a Snort sensor just to see what was there.  And there was a lot in that particular environment.  I’ve used it many times since then and I found out at RSA that the first Sourcefire implementation I performed is still in place, basically unchanged since I left.  This is why I always take the opportunity to talk to Marty Roesch at Sourcefire if I can at RSAC.  This time I got a chance to talk to him about the omnipresent APT (he prefer’s using the term APA, coined by @nselby and others), the security existential crisis, the work Sourcefire is doing with Immunet, the Cloud and Sourcefire’s virtual appliances.  All that noise you hear in the background is the Securosis Recovery Breakfast. 

NSP-RSAC2010-Sourcefire.mp3

I’ve been a member of the International Information Systems Security Certification Consortium [(ISC)2] for nearly a decade; I passed my CISSP test in November of 2002 and don’t have to worry much about CPE’s until at least 2011.  So when I was offered an opportunity to talk to Hord Tipton, Executive Director of the (ISC)2, I didn’t hesitate to take them up on the offer.  We started off easy, talking about what’s new at the (ISC)2, and the Safe & Secure Online Program.  Then we moved on to the harder questions, like “What have you done for me lately?” and “What are you doing about people who shouldn’t be CISSP’s in the first place?”  The (ISC)2 is never going to make all of us who are certified happy, and that they are taking some steps to address concerns about unqualified practitioners, but it’d be nice if they were a little more public about it.  Oh, and you’ll hear at the end that the (ISC)2 definitely accepts listening to podcasts for CPE’s.  I forgot to ask about producing them.

NSP-RSAC2010-ISC2.mp3

Jan Hichert, CEO of Astaro Internet Security, and I met in one of the quieter hallways of the 2010 RSA Convention.  Of course, ‘quiet’ is a relative term when it comes to RSA, but the audio came out acceptable in any case.  We talked about several of the new products Astaro is offering this year, including Astaro Mail Archiving, Astaro Wireless Security and Astaro RED.  We finished the conversation talking about Jack Daniel’s new position at Astaro, social media and Security BSides.  I think Astaro is one of the few security companies that actually get social media, in large part thanks to Jack. 

NSP-RSAC2010-AstaroSecurity.mp3

While I’m sure Mikko Hypponen, Chief Research Officer at F-Secure, is getting as tired as hearing the term APT* as the rest of us are, he had some insight into what’s really happening with this threat and the fact that it’s not something new, it’s just the acknowledgment that it’s happening that’s new.  He’s been seeing similar attacks going on for nearly six years, what’s changed is the recognition and public attention to the threat that’s something new.  He believes that the organized crime component of malware will be moving to smart phones as the criminals realize that it’s easier to make money quickly and easily from phones than the complicated hoops they have to jump through to make money from computers.

NSP-RSAC2010-FSecure.mp3

* I’m with @CSOAndy who believe the A in APT should stand for Adaptive, not Advance.  It’s much more descriptive of what’s really happening.

Note:  Rich and I were kind of busy this week, so we let Zach run with the podcast.  Now I have to go back and listen myself to hear what was said.  I’ve been told I shouldn’t be worried, but…

Martin and Rich are away at RSA — and I’m all alone. Well, actually, I have a special guest host: Jamie Arlen (a.k.a. Myrcurial) — and boy did we have a lot to talk about. Tonight’s show is a bigun’, clocking in at about 50 minutes. So, apologies for the lengthy show and file.

Network Security Podcast, Episode 187, March 3, 2010
Time:  51:05

Show Notes:

• RSA: Securing cloud computing is industry responsibility says Art Coviello
• Google Joins the Cloud Security Alliance
• Report: The Command Structure of the Aurora Botnet:History, Patterns, and Findings (Damballa)
• Authorities bust 3 in infection of 13M computers
• Verizon Incident Metrics Framework Released
• Open Wi-Fi ‘outlawed’ by Digital Economy Bill
• Tonight’s music:  Another Devil’s Fool by Freeky CleanN

As a PCI QSA, one of the big technologies I’m looking at this show is end-to-end encryption (E2EE).  So it’s no surprise that my first interview of RSA 2010 is with Mark Bower, the Director of Information Protection Solutions at Voltage Security.  We talk about what E2EE is, how it will affect merchants and what we might be seeing in the future from Voltage SecureData Payments POS SDK.  I hope that we’ll see adoption of Voltage’s SDK or something very similar in the coming year, we need to help merchants protect cardholder data as close to the point it enters their network as possible.

NSP-RSAC2010-VoltageSecurity.mp3

The best laid plans of mice and all the that:  I planned too much for RSA this year and despite having several interviews already recorded and edited, finding the time to actually upload them has been nearly impossible so far.  It doesn’t help that AT&T’s 3G network in downtown San Francisco is severely impacted by 10,000 security professionals descending on the area for a week.  Hopefully I have a chance to get a little more time between meetings today. 

Today’s schedule is both heavier and lighter than yesterdays.  It’s heavier because I have meetings with F-Secure, Xceedium, Astaro, Agiliance, Kaspersky Labs and a metric ton of parties to go to tonight.  It’s lighter because I actually scheduled a little time between meetings and some time to wander the show room floor for a couple of hours.  I still may not have the time to upload or edit many of the interviews I’m collecting.  I vow my schedule next year will have to be a lot lighter.  I think I’ve made that vow before though.

Time to go find coffee and get ready to assault the day.  Because I know if I don’t take a running charge at my schedule, it’s going to run me over.