Network Security Blog

The horror! These guys should never be allowed to show their faces! Teasing aside, Rich, Adrian and Mike do a great job of laying out the three basic themes you should expect to see at RSA this year.  Cloud computing, Advanced Persistent Threat and Compliance are going to rule the floor at RSA.  Cloud computing and APT are this year’s big buzzwords that are poorly understood by the majority of the industry, therefore vendors and their marketing departments hop on the bandwagon in an attempt to define these new terms in their favor.  And compliance is going to be big because it’s what everyone has to do, whether they want to or not.

Given what I do by day, don’t be surprised that most of the podcasts coming out at RSA are going to be about compliance.  But I hope to step outside my little box at least a little and bring you some other interesting interviews.  I may even get a chance to catch up with Rich for a few moments or at least grab one of his Securosis cronies for next week’s podcast (I’ll probably hear it for calling them that).  Zach can’t make it, he muttered something about finances and his birthday. 

Micheal Arrington sure knows how to stir up a crap storm.  Saturday he started bringing to light the amount of scamming and dishonest practices behind ads and games on Facebook and MySpace.  I’m pretty sure that the people who think the ads are legitimate are in the minority, but even I was stunned by the sheer magnitude of the money changing hands behind the scenes.  I assume part of why I was unaware of the issue is my own limited of use of Facebook and complete refusal to visit MySpace.  Sure, there are rules that try to limit the scams, but the reality is that the technology allowing scammers to earn big bucks is changing much faster than anything the big social network sites can do.  I wonder if this sort of ecology isn’t exactly why Twitter has never allowed ads?

Today TechCrunch is running a guest blog post by Dennis Yu, an advertiser who knows a lot about the guts of running Facebook scams, since he used to make his money performing the exact sort of scam Arrington is trying to call out.  He claims to be reformed, he claims to feel guilty, but he’s not offering to give any of the money back in an act of contrition.  I guess the best we can hope for is that the information he’s sharing can be used to limit the damage caused by scammers going forward.  And limiting the damage is the best that can be hoped for, since the money being generated by Facebook ads is too tempting to stop all together.

One of the biggest keys to encouraging a user to click on an ad has always been to make it look like it’s coming from a trusted source.  Looking like a legitimate Facebook ad is important, but using personal information from the users profile is even better, according to Mr. Yu.  Which has been one of the things that Facebook has been the leader of providing since it’s inception.  Developers have always had easy and wide ranging access to user data on Facebook, in many cases even data that’s marked as ‘private’.  Facebook’s privacy policy spells this out, but few users ever read the policy when they sign up for Facebook and even fewer read it whenever it’s updated.

It’s no wonder that developers flock to Facebook either; according to Mr. Yu, he was able to earn 40-60 times what Google Adsense could for the same ads.  Not that the ads were actually effective for the advertisers, but the companies were still paying out for ad placement.  The funny thing is that most of the ads didn’t convert to real sales, since a lot of the people using Facebook didn’t have or use credit cards.  In other words, they don’t actually buy things that ads are selling.  But there are a three things that don’t cost end-users money that they’re willing to accept: toolbars, supplying an email address or supplying their phone number.  Toolbars are egregious because they are often nothing more than conduits for spyware.  An email address is obviously useful for spamming, especially if you already have all the other information being supplied by Facebook.  The worst of the three for consumers is giving up a phone number, since this can lead to a reoccurring monthly bill that you might not even realize you have tacked onto your phone.  After all, how many people actually check their phone bills that often?

The bad guys, and even the guys who aren’t bad but want to make a buck, are going to find ways to exploit Facebook, MySpace and other social media spaces as long as there is money to be made.  They’re going to take advantage of weak enforcement and a lack of motivation to stop the scams from happening.  But the social media companies have to decide for themselves if the cost of accepting the ads is worth it in the long run.  Users aren’t stupid, they realize the ads are often scams and many of them are playing the game just as hard as the advertisers, providing false or partially true information to get the rewards for clicking on banners and ads.  Soon Facebook will have to decide if they want to be the premier site on the Internet or be relegated to the backwaters of the Internet, used only by scammers and fools. 

I finally had the time to sit down and read the NSS Labs Web Browser Security Phishing Protection paper this morning. This paper is a test of the more popular browsers in use today and how well the reputation based systems they’ve built work to protect users against phishing attempts by malicious sites.  The big winners in the test were Firefox 3 (not 3.5) and IE8, which almost tied at 80% and 83% accuracy for blocking phishing sites.  Given that the study quotes a margin of error of 3.6%, the two browsers are equal for most intents and purposes.  The big loser of the test was Safari 4, which only had a 2% blocking rate for malicious sites.  I hope Safari on my iPhone is better than it is on my Macbook, or at least that there are less phishing sites targeting the iPhone.

It’s very interesting that Firefox 3, Chrome 2 and Safari 4 all use Google’s Safebrowsing data feed but have very different results from the same data.  Chrome 2 only had a 16% success rate in blocking, compared with Firefox 3 at 80% and Safari 4 at 2%.  So why the big difference between the three browsers running off of the same information?  NSS Labs doesn’t offer an explanation and apparently none of the developers did either, so either Firefox is pulling in a lot of additional information from somewhere or the Chrome and Safari developers have some learning to do.

What I personally found the most interesting about the paper though was that the Anti-Phishing Working Group is quoted as saying that the average phishing site only has a lifespan of approximately 52 hours.  None of the browsers really reach full effectiveness for blocking a phishing site for about 48 hours after the site has become active, therefore you’re only getting 4 hours of maximum benefits.  The long term trends look good, but it’s a little disturbing that many phishing sites are relatively undetected for at least the first 24 to 48 hours they’re live. 

I’d be curious to see how Firefox 3.5 changes this mix.  Apparently it wasn’t stable enough to be used in this test, but maybe we’ll see a new set of tests next quarter.  I’m also wondering what affect the FF plugin NoScript would have on the results.  Since NoScript isn’t strictly speaking an anti-phishing tool, I doubt NSS Labs will be testing it any time soon, but I’d like to know how much more secure it makes my web surfing experience.

Now to go back and read the Socially Engineered Malware report. 

It’s coming up all to quickly!  Black Hat, Defcon and Security BSides!  Okay, if you’ve been in security for any lenght of time, you know what BH & DC are, but you may not have heard of Security BSides before.  Basically it’s an ‘unconference’, a user organized conference that will be providing an alternative for some of the talks that either weren’t accepted by Black Hat or were never submitted in the first place.  It’ll be a small conference running side by side with Black Hat, but it’s not meant to compete, it’s meant to supplement BH.  The crowd will be relatively small and you have to sign up on the wiki before hand if you’re going to show up, but it’s going to be a heck of a fun event. 

If you’ve never been to an unconference before, they’re a little different from your usual conference going experience.  The biggest thing is that audience participation in the talks is not only encouraged, it’s necessary to make the conference successful.  The people speaking will all be experts in our field, but they have as much to learn from the experience of presenting here as the audience does.  One person’s experience is great, but the ideas that are pulled from the crowd are often just as valuable as the ideas the presenters are offering. 

Last, but certianly not least, think about attending the Feathers Will Fly Panel and the Secxy Pillow Fight to benefit the EFF if you can’t make it to any other part of BSides.  Erin Jacobs, Stacy Thayer, Jennifer Jabbusch and a number of other female security professionals are going to talk about the image of female security professionals and probably embarrass themselves along the way.  This will be a fun panel and a fun event, aimed at lampooning some of the images we have of female security professionals.

Peter Allor is one of the two people who tapped me cover the 21st FIRST Conference in Kyoto.  Pete is a member of the FIRST Steering Committee and the Conference Liaison and took a couple of minutes out of the conference to speak to me on how the conference was going. 

Episode 8: Peter Allor, FIRST SC and Conference Liaison

Toby Weir-Jones from BT gave a talk titled “Deriving information from raw data: making business decisions with logs”.  We consider why it’s so hard to translate our log files into something that we can use to communicate with other business units who don’t speak the same language.

Episode 9: Toby Weir-Jones, VP Product Development, Managed Security Solutions Group, BT

The wife and I are all packed, the house sitter has been briefed (“Just don’t burn down the house while we’re gone”) and we’re heading off to the airport in a few minutes to fly to Kyoto, Japan to attend the 21st annual FIRST Conference.  The folks at FIRST have tapped me to be the media sponsor for the event this year and I’ll be blogging, tweeting and conducting interviews live on the floor of the conference.  There is a very interesting group of international speakers who all work in the incident response field, some (like me) less than others.  So here’s my question to you:  Who would you like to hear me interview from the list of speakers in Kyoto?  Leave a comment on the blog, tweet me (@mckeay) or send me an email and I’ll do my best to get an interview with your target of choice.  The interviews will be posted within a few weeks after the conference and I’ll try to sneak one or two in while I’m there.

Note to Rich:  Don’t burn down the podcast while I’m gone!

There have been a lot of stories this week I wish I had the time to write about, but given the choice between blogging or getting ready for traveling to Kyoto, Japan to speak at and podcast from the FIRST conference, preparation has been winning out.  My wife is going with me and she’s been shouldering a lot of the mundane, pedestrian tasks, but I don’t think she can write up reports for me or get ready to make presentations in my place.  Of course, if I could teach how to do those things for me I would have a lot more free time; which I’d probably fill up immediately with more blogging or maybe tweeting.  Spending more time on Twitter is exactly what I need (that’s sarcasm, for anyone who doesn’t follow me on Twitter).  As silly as it may sound, I’m also starting preparations for Black Hat and Defcon, even though their nearly six weeks away.  By the way, it was revealed late yesterday afternoon that Adam Savage from the Myth Busters will be speaking at Defcon 17!  My kids may force me to take them to Las Vegas just so they can see him.

First off, I have a cluster of stories on PCI.  MasterCard stunned a lot of us this week by changing the requirements for Level 2 merchant, making it mandatory for them to have an annual audit by a Qualified Security Assessor (QSA) by December 31, 2010.  I still haven’t talked to anyone who had an idea this was coming, other than in very general terms, so it’ll be interesting to see how this will this plays out over the next couple of months.  I need to catch up with Avivah Litan some time and find out where Gartner’s negative view of QSA’s come from.  Three more PCI stories that are related are “Weak Security enables credit card hacks” from AP, “Security issues weigh most heavily with acquirers, research says” at Digital Transactions and “Best practices for protecting banking sites” at BankersOnline.com.  It’s good to have a story with some solutions, or at least ideas, to go with some posts about all the security problems we’re facing. 

Next up is a couple of stories about some of my co-workers.  The guys over at Spider Labs got called in to look at some malware that was found on ATM machines in Europe.  With the right ATM card and a few keystrokes, bad guys could have the ATM machines spit out reciepts with card numbers, PINs, expiration dates and nearly everything else that’s on the Track 2 data.  Then the software can quitely erase itself so minimal evidence is left behind.  The You Shot the Sheriff conference is going on this weekend in Sao Paulo, Brazil and a pair of the guys from Spider Labs will be presenting on Rich Internet Applications and the risks they pose.  Potential disaster because of Silverlight and Adobe AIR?  Not possible (again with the sarcasm).

Finally, I have four unrelated stories:  First of all Jeremiah Grossman is asking the Feds to make it legal to hack .Gov and .Mil sites.  We know these sites are mostly insecure, we know hackers are already attacking them, so why not set some rules of engagement and let white hat and grey hat hackers attack them as well, provided they report the findings back to the site owners?  The idea has some merit, but I’m still on the fence for this one.  Speaking of government web sites, the Department of Homeland Security now has a blog.  Now if Secretary Napolitano would just stop by the Bay Area for a short chat like her predicessor did, I’d be very happy.  Of course, it may be that asking lighting to strike twice is unreasonable of me, but I can dream.  Dave Shackleford has a post about an interesting book, “Adventures of an IT Leader“.  I don’t have time to get a copy from Amazon for the flight to Japan, but it sounds like interesting reading. 

The last story is “the evolution of a blogger’s ego” by Jason Alba.  Any blogger who says they don’t have a fair amount of ego tied to their writing is lying, either to themselves or to you.  It’s not a bad thing to be proud of your writing, but some of the yardsticks bloggers have been using to measure their success have been superceded by new measurements.  Comments on your blog used to be what’s important, now it’s how many tweets, retweets, friendfeed comments, etc. which are important.  The conversation’s getting more and more fragmented between bloggers and their audience, but it’s also getting more interactive daily. 

I’ve got another PCI related post to write this weekend, so that’s it for now.

Oops, misspelled the title, should really be SiliSec, as in the Silicon Valley Security Meetup.  Of course, after a few beers it might end up being Silly Sec after all.  In either case, there’s a meeting of the security professionals in the Silicon Valley and southern Bay Area tomorrow night at St. John’s Bar and Grill. I can’t make it myself because a two hour drive each way just isn’t in my time budget right now, but there’s certain to be some interesting characters in attendance.  If you’re in the area, stop by St. John’s and look around; if the SiliSec group is anything at all like the BaySec group, you’ll know within a few minutes exactly which group is the one you’re looking for. 

Maybe I’ll see you later this month at BaySec instead.  Once this months date has been set, that is.

That’s right, the video recorded at the 2009 Security Bloggers Meetup is available for your viewing pleasure.  You can watch Alan Shimel present the Social Security Awards, with a little help from Rich and myself.  This was the highlight of the night and the culmination of a lot of work by the people who put the event together.  I got to put Alan in his place (literally) several times during the ceremony and Mike Rothman was as close to speechless as he’s ever likely to be.

Bill Pennington did an excellent job of taking pictures at the Security Bloggers Meetup last night.  You can view them on Flickr or on Facebook.  And just in case you can’t recognize the people in the pictures at a glance, they’ll be tagged with right names over the next day or two.  Gee, I’m surprised most of the pictures of me include a mic in my hand.  Go figure.