Network Security Blog

This is a decidedly un-scientific survey, but if the stream of emails I’ve been receiving the last couple of weeks is any indication, PCI, virtualization and anti-malware will be the bells of the ball at RSA this week. DLP will put in a good showing, but the other three will be much more prevalent, with PCI in the lead by a significant margin. Of course, this is just based on the PR emails and requests for meetings, but that’s been a pretty reliable indicator before.

My own employer, Trustwave, will have a booth at RSA for the first time ever. We’re going to be talking about PCI, but our managed services offering will also be a large part of the message being communicated. I don’t plan on being there much, but I will be stopping by the booth from time to time. I’m nearly as interested in seeing what my own companies message is as I am the competitors. PCI isn’t an issue you can fix with a single product, even ours, so be very wary of the vendor hype as you wander around the showroom. Many companies offer solutions that address one or several points, but no one can wave a magic wand and make you compliant. That’s enough of my own professional windmill tilting for the moment.

Virtualization is the hot topic of the moment, so expecting a big turnout of technologies addressing all it’s foibles is a no-brainer. The real question will be how many of these products are really virtual machine related and how many are just other products that were re-branded to take advantage of a PR wave. It’s a bit harder to rebrand as VM compared to NAC a couple of years ago, but I’m sure a number of companies will be doing exactly that. Anti-malware is going to be in evidence just because it’s cycle is peaking right now; there’s not a lot new here, but it’s something people are thinking about again as the malware writers complete the shift from talented amateurs to professional criminals. And DLP is still a good idea, but when it comes down to it, I think this is a technology that is less a security product and more a business policy enforcement product. Unluckily for DLP, there are not ‘business policy enforcement’ conventions.

The press releases continue to pour in as I get ready for my week at RSA. I skim every single one, do a quick read on about half and take the time to really understand about 5% of the press releases I get. It’d be higher, but most of the PR folks just spam everyone on the RSA Press list, never taking the time to figure out if their product is relevant to the people they’re sending the press releases too. Me, cynical? Nah, you must be thinking of someone else.

Ah, RSA. An event that is equal part excuse to meet friends, endurance test and serious security exercise. It’s one of those events that I look forward to for months, while also dreading the exhaustion I know will set in by Thursday evening. Days are spent trying to find the nuggets of truth amongst the marketing propaganda while the nights are spent wandering from party to party, drinking the same companies’ alcohol. To put it bluntly, it’s both the best and worst parts of the security sphere.

I’ve got so many friends coming to town this week, many of which I only see at RSA. We’ve got the Security Bloggers Meetup Wednesday night, from which Rich and I will be streaming live video. There are several lunches, breakfasts and dinners with friends, as well as the chance meetings that happen every couple of steps on the showroom floor. And then there’s all the friends I just haven’t met yet that will be at RSA. If you’ve never guessed by reading the blog or listening to the podcast, I’m a social creature; I’m at my best in a crowd. I love the opportunity to reconnect with my existing friends as well as making new ones.

The endurance test comes in somewhere around Wednesday evening or Thursday morning. Tuesday night is the first of the big parties, with everyone from Microsoft to Sourcefire to RSA themselves throwing parties and having dinners at every available venue within several blocks of the Moscone Center. I have nearly two dozen different invites for Tuesday night, only a fraction of which I can even try to make. I almost forgot about the speaker’s dinner, something I get to go to for the first time this ever. Wednesday night is the Security Bloggers Meetup, and if I make it through that I’m going to buy Jennifer Leggio (aka Mediaphyter) more than a few drinks for all her hard work in putting it together. But not so many that I miss my own panel, Avoiding the Security “Groundhog Day” (BUS-302) Thursday morning. A hearty dinner and lots of water should help a lot with that.

Rich and I will be ‘micropodcasting’ from the event. We’re going to post at least two short interviews each day, Tuesday, Wednesday & Thursday. We’ll also be meeting for a recap each day to relate some of the more interesting technologies and people. The micropodcasts will be short, with a quick intro and outro, hopefully no more than five minutes apiece. They’ll be available in the same RSS feed as the main podcast, so if you’re subscribed in iTunes, you’ll be getting them already. And we’ll be streaming the video from the Security Bloggers Meetup, which is going to be episode 100 of the podcast. I’ll be posting the link for the live video stream right before the event on Wednesday. I’ve never done live streaming video before, so the thought of gremlins in the machines has me a little spooked.

I sometimes make fun of marketing/PR folks, but without them there would be no RSA event. Their efforts to sell security products, to gain attention for their companies, to talk to as many press/blogger/podcaster people as possible is what drives the security industry. There is a dark side to marketing and public relations, but I’d be an idiot to believe that the industry could survive one reporting cycle without them. But hopefully I can help see through some of the hyperbole and ask the questions that will get through to what these companies are really offering. I don’t want to hear “Our product will solve all your PCI problems, make your company secure and make you a sandwich while you get a well deserved rest!” I want to know what your can really do. And what you can do now, not with the next product release.

I’ll be twittering some, I’ll be blogging when I can and I’ll be reconnecting with friends as much as possible. RSA 2008 is going to be a blast. Friday, April 11th will be the crash afterwards.

Friday evening my oldest son asked me “Dad, can I join Club Penguin?” I’d heard of Club Penguin before, when Jeremiah Owyang had written it up, but I really didn’t give it much thought after that. It’s a social media/virtual world for children ages six to fourteen owned an managed by Disney. So when my son asked if he could join, I clenched my teeth and told him I’d talk to his mother about it. Little did I know at the time that she’d already told him to talk to me. I was tense about it, because I knew I couldn’t let my eight-year-old participate in this social networking tool unless I let my six-year-old play too.

I did some research this morning on Club Penguin, starting with their “Parents of Penguins” page and moving on to a Google Search. I wasn’t able to find any truly negative reviews, though a few borderline examples did exist. What I found out is that Club Penguin is a social media experiment started by three fathers in Canada and then purchased by Disney. They heavily monitor activity on the site, there are language filters in place and I, as the parent, have control over their accounts. As much as I wish I could have found something that would have allowed me to say no to them, it just isn’t there to be found.

The sign up process is fairly simple and Club Penguin has a pretty good privacy policy. There are two types of accounts you can sign up for, one free and the other for $5.95 a month. I’m not currently willing to spend $12 a month between the two boys for something they may or may not still be playing in a month, so I signed them both up for free accounts. The main differences seem to be the ability to have more pets and accumulate more coins to buy in-game clothes and decorations. If they get good grades this semester, signing up for the pay-for version may be in the cards, but I think the wife and I will have to talk about that in greater detail.

The sign up process was fairly simple and basically just required a valid email address to send the account activation code to. I think this is a weak point of the system because there’s no verification that the email account belongs to an adult, but in my kids case, they don’t have email yet. There are a number of good, common sense hints on the Player Safety page, such as “Don’t use your real name for your account name.” As part of the account creation process you’re asked if you want to allow your children to use Standard Safe Chat or Ultimate Safe Chat. I allowed my older son to have the standard while I placed my youngest son in the Ultimate category. Using the Ultimate Safe Chat, the parent has a password that must be typed in to change to Standard Safe Chat. Both of these have decent filters, but several articles state they can be gotten around using some of the standard schemes, like putting spaces between the letters. I haven’t tested this yet.

Each of the boys got their own accounts with names they made up with a little help and they got to choose their own penguins. They each have a password that exceeds the site’s minimum requirements and I made each brother leave the room when we were typing in the other boy’s password. We sat down and discussed what is appropriate behavior online and what is not. I guess I’ve talked about it enough in the past because they both knew that telling anyone their real name, phone number or address is a no-no, which makes me feel I’m doing my job. We then came up with three rules for using Club Penguin and added a fourth while they were playing. We wrote out the rules, posted them on the wall next to their computer and let them go at it for an hour. I let my youngest play on my Mac Book Pro and they finally found each other and started to throw snowballs at each other online. Everything in Club Penguin is Flash-based, happens in the browser and works fine on the MBP in Firefox, after I approved it in No-Script.

My boys are growing up and I’m sure this is only the first social media/virtual reality tool they’ll want to use. They already play a version of Pokemon online using the Wii, which is why the know the rule about not telling anyone their real name. But the Pokemon game is just battling other Pokemon masters (Why, oh why do I actually know what they’re called?) where as Club Penguin was created from the start up to be a social space. The tools to do this are only going to get more complex, easier to use and, I assume, more integrated with standard web pages, making it harder to distinguish when you’re in the social space. I hope I’m giving them the right grounding to be able to understand what’s acceptable and what’s not online.

As much as I’m cautious about Club Penguin, I know it’s safer than letting them go to the park at the end of the street. There are more automated safeguards in Club Penguin than there ever be at the park. But as Bruce Schneier sometimes points out, we tend to place more weight on the dangers we don’t understand than the ones we know and deal with on a daily basis.

Our four rules for Club Penguin, posted on the wall next to the computer:

1. Club Penguin is a privilege, not a right
2. The door to your room has to be open or you have to play Club Penguin on a computer in the common area
3. Tell Mommy or Daddy immediately if anyone asks you for your real name, address or phone number.
4. No logging into your brother’s account!!

Have I missed anything major? I’ll be sure to post if there are any major updates.

Technorati Tags: Club penguin, father, online safety, Disney

Heading to San Francisco and Pete’s Tavern for BaySec in a few minutes. Hope to see some of you there. Sorry for the late reminder, I’ll try to post on BaySec a day or two ahead of time from now on. If only we could get someone to update the BaySec site in a timely manner. At least I’m in town for this one, instead of some exotic location like Montreal or L.A. Of course, I’m headed to L.A. tomorrow, so tonight will have to be fairly short.

I’ll be the first to admit I joined Twitter and Facebook thanks to social pressures from Jeremiah Owyang.  I figure that when you’ve got a friend who’s a social media guru, you should listen to his advice once in a while. I’ve regretted signing up for both some, Facebook because of the privacy issues, especially Beacon, and Twitter because it is such a time and attention hog if you let it.  Both are great social networking tools and have helped me get in contact with other security professionals and fans of the blog/podcast.  If you keep in mind that everything you put on either of these tools can be read by your boss or potential boss, that is. 

Technorati Tags: security, twitter, social networking

I’ve always been a proponent of ‘responsible disclosure’; that is, researchers give companies a reasonable amount of time to research and fix vulnerabilities and in return companies give researchers credit and treat them with respect.  This is a workable system, but it takes everyone involved to act like an adult and offers no hard and fast rules for how long a reasonable amount of time is.  It’s not easy, but it is workable.

There are extremes at both ends.  Some companies would prefer that researchers stop mucking around in there products and get real jobs.  The problem with that position is that the bad guys are going to continue to find vulnerabilities in products, because that’s where the money is.  So obviously, non-disclosure isn’t going to work.  At the other end of the spectrum, full disclosure, gives the bad guys too much information and doesn’t give the effected companies the time needed to come up with a defense.  Another problem with this is that you can sometimes anger much of the security community, which is apparently what happened in the case of Whitedust; they shut down operations last week in response from heavy criticism and backlash from the security community.

Most situations sit somewhere between the two extremes.  Security researchers are trying harder to work with the companies who produce the vulnerable software and in many cases companies are returning the favor and treating researchers with more respect.  This has yet to become the rule, as David Maynor’s nearly legendary relationship with the Apple corporation shows.  Apple would rather deny that the issues exist and let their PR department deal with any naysayers.  Companies like Google take a slightly different tact and say that the vulnerabilities reported to them are ‘expected behaviour‘, as happened to RSnake. 

It’s hard for a security researcher to continue to work with companies when the researcher is attacked or ignored.  I also understand why companies react so badly sometimes; after all, no one likes having their errors pointed out to them continuously.  But were to the point in the game where it’s up to companies to take the high ground, admit to their mistakes, fix them and credit the people who find the vulnerabilities.  Most researchers don’t have that much to lose if a company denies that a vulnerability exists, but then patches it a couple of months later.  On the other hand, every time a company does exactly that, it makes it less likely that the public is going to take the next denial at face value.

I’ve sometimes been hard on Microsoft for the security of their products.  But this is one area that I’ll give them the credit they deserve and say that Microsoft has made great strides in over the last few years.  They still stumble once in a while, but it’s a lot better than attacking the people who are researching you, or constantly threatening to sue anyone who exposes a vulnerability, like a certain database company who’s name starts with “O“.

I’ve always been a big fan of the Consumer Reports magazine, but the September issue has to be my favorite one ever!  In nice big letters, the headline is “Stop ID thieves”.  They’ve got several articles on staying safe online and avoiding phishing scams, but I think one of the best pieces of advice they give is for people to turn on the protection they already have on their systems.  They also review many of the anti-virus programs and security suites, with a view towards the consumer who might not have a lot of experience in these things, and they rate Trend Micro at the top in all of the categories.  I’m not sure if I agree with their scoring and ranking, but at least it gives the average end user something they can easily understand.  I think I’m going to see if I can purchase 4 or 5 copies to give away.

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

As most security professionals know, passwords are a losing proposition. We use them because the capability comes with your operating system, but their weaknesses are many. Here, Dana Epp talks about the capabilities of token-based authentication, as well as some of the weaknesses. He hopes that some day in the not-too-distant future we will control our own digital identity rather having a different identity with each and every merchant or server.

When I heard that Dana was going to be at Linuxfest Northwest in May, I wasn’t going to miss a chance to talk to him. Dana was one of the first security professionals to start blogging, and he’s been a personal inspiration for my own blogging. I caught up with him after he gave a talk on strong authentication, and just before he headed into another talk on OpenID.

And if you haven’t already taken the Podtech survey for me, I’d really appreciate you taking a few minutes to do so now.

Technorati Tags: Dana Epp, Authentication, security