Friday 31 August 2007

Data Nirvana

I like to oversimplify things. Not only does it mean I can understand them better, but it gives people the chance to criticise me, and start unneccessary arguments, which are, of course, the very staff of blogging. [Apologies to Leviticus (26:26) and Jonathan Swift for the mangling of prose].

Rich is going to blog some more on this in the coming days, so I won't add anything he hasn't already said to this précis, but I have been finding it increasingly difficult to keep up with him and Hoff with their ping-pong evolution of data security over the past couple of days.

I like to think of myself as a tool, in fact people often say to me: "Rob, you're a tool." So obviously that helps.

DLP= data loss prevention technology. There are a few players in this space, Vericept and Vontu being two that spring to mind. They are essentially passive endpoint filters which sit and monitor all data which is leaving and entering a closed system. The closed system needs to apply it's own classifications to data to prevent leakage or data loss. Hoff thinks it's a feature, not a product, which I only agree with long term. For now, it's a product in itself, and an important step on the roadmap.

CMF= content monitoring and filtering. As Rich says, this includes an extra step, where data at rest can be searched and classified.

CMP= Hoff's expression, content monitoring and protection. The next step in evolution, where the two are combined, so data already in the file system is protected when the solution is put in place, rather than waiting until each file is accessed. This is maybe why Hoff thinks DLP is a feature. Of CMP, it would be. However, so would encryption, key management, integrity, policy management, data classification, etc.

To make the full product, there needs to be a platform to build on, and there are yet more features needed. This is something I've started to pick Rich's brains on already, he's talked about policy and workflow management. This is something I want to pull Hoff into if he will oblige. In my opinion there are couple of ways this could unfold. As Rich says, EMC with Tablus could become a market force, and as they seem to be the biggest in the market right now, I expect they will be. I would like to see their roadmap and plans for addressing the market.

There is a company in the UK called Njini who are doing data-classification right now, with nothing fancier than that. They are focusing on de-duplication, which is a real business driver, with a real ROI, not a "Security ROI", i.e. it provides a GAIN, not just a prevention of possible /probable loss. There are plans afoot to develop this into a full data management system, where classified data can have encryption, integrity, compression, etc. applied as required.

I know of at least one other security company who are heading down the classification route, and I think it's a good move, because it makes business sense, not just security sense. I'm not sure EMC have got this yet, and are just going to add Tablus functionality to their high end storage. I would like to be proven wrong, but as far as I've seen so far, EMC really don't get security properly. In which case, someone else could undercut them, and their storage positioning, before they notice.

That someone else, again, in my humble opinion, could be someone small, and therefore might not make an impact, it could however come from somewhere better positioned from the get go.

Just a hypothetical question here, but what would happen if Microsoft implemented a proprietary data classification system in every Windows release from now on, included the code in the next set of Windows Updates even? How simple would it be for them to control storage then? How many of the encryption companies and integrity providers would want to be part of that? How much WORM storage kit would become redundant overnight, or at least require a total shift in marketing?

Is this what EMC are trying to achieve? Undoubtedly. It would give them a stranglehold on the storage industry like never before, but can they do it without the help of Microsoft? I don't think so, but then I think that's exactly what SISA is about.

You tell me, I may be barking up the wrong tree entirely. People often say to me: "Rob, you're barking." There have been tree references made, how wrong it is, and how far I am up it. So that helps.

Wednesday 29 August 2007

Ambiron TrustWave acquires OneSec

This is very hot off the press. I have just had an excited message to say that OneSec, one of the leading QSAs in the UK, have been acquired by Ambiron TrustWave, one of the leading QSAs in the US. The deal has been sealed with a press release reading thus:
"CHICAGO AND LONDON (August 29, 2007) – AmbironTrustWave, a leading provider of data security and compliance management solutions worldwide, has acquired London-based One-SEC Ltd. (One-SEC), the leading provider of Payment Card Industry Data Security Standard (PCI DSS) compliance solutions for businesses and organizations in Europe, the Middle East and Africa (EMEA). The deal is closed, and its terms will remain confidential."
The full document can be read here.

ATW have always been of special interest to me since I worked with Heather Mark at Vormetric, and more recently when I started contributing to PCI Answers with Mike Dahn. Mike was a top Ambiron consultant and Heather was the founder of a company acquired by Ambiron prior to the TrustWave takeover. They both did well out of the merger and now run a new consultancy together in the US, Aegenis, along with Heather's husband Chris, who I have yet to meet, but am assured is on equal footing in the brains stakes having held a senior security position at MasterCard. A pretty powerful bunch there... but this post is about ATW and OneSec.

OneSec I have met on several occasions, they are a great bunch of guys to hang out with at conferences. I've had several conversations about log integrity and whether they should be running with TripWire AND Kinamik, rather than just TripWire. Even when TripWire agreed that Kinamik did something different, OneSec were skeptical about the value-added. They know their business extremely well.

When I last spoke to Brooks Wallace at ATW, he revealed to me that they had their own technology, but he would look into it. That was the last I heard from them. Maybe it's time to pick up the phone again...

Tuesday 28 August 2007

Interview with Rich Mogull

I had the great fortune to catch up with Rich Mogull on his recent departure from Gartner. Without too much pre-amble, here's what transpired:

RN: So, Rich, the question on everyone’s lips, why did you decide to leave Gartner?

RM: It wasn’t any single reason. As I posted on the blog I’ve been there for over 7 years now. It’s a great job, but I didn’t think it was great enough to be my last job. I’m only 36, no kids yet, and had just sold my bachelor pad (a condo in Boulder). The stars lined up and it was just the perfect time for me to make my move.

I did feel like there weren’t many challenges left for me at Gartner. I didn’t want to manage there, and I’d hit all the goals I set myself as an analyst. It really has been the best job of my professional career, and it’s a great place to work, but anything gets stale after a while.

RN: Most people dream of the day they could think Gartner is stale. Did they try and make you stay?

RM: They immediately dispatched their Quick Response Tactical Team to my home, but I rapidly disabled them using my superior martial arts skills.

RN: There was a ninja fight, and you won? Did you hurt anyone you wish you hadn't?

RM: My managers were great and very supportive, if disappointed. Leaving is never easy.

RN: Hmm… tell me about it. Any plans decided on yet for the future?

RM: For now I’m doing independent consulting and using the blog [Ed: OK, we get it!] as my home base. While I’m open for that “perfect opportunity” I’m definitely not looking for a position anywhere yet. There are a lot of things I’d like to do in this industry, and consulting gives me the freedom to move around. Long-term I’d like to be able to support my family AND spend time with them; those kinds of jobs are rare in our industry.

RN: Yeah, tell me when you find it, I'm right behind you in the line. I was hoping blogging would keep me grounded. It hasn't turned out that way at all. I guess traffic has slowed a bit since you haven't been able to cover data-security? You're obviously keen to get people back to your blog.

RM: Definitely! Data security has been the main focus of my work for over 5 years and I think we still need to do a lot of work on the topic. There’s a lot of disjointed information out there and very few people pulling it together into a way that makes sense and people can act on. What we have today is mostly people running around dropping point solutions in place because of an audit deficiency or a breach. Data security will eventually evolve into something more strategic, as have other areas of security, but it will just take some time. I plan on doing what I can to nudge things in the right direction and contribute to the dialog.

RN: Back to blogging about data security on a permanent basis to influence the industry then?

RM: I won’t be limiting myself just to data security. Data security is really morphing into a data and application security stack, since the ties are so close (at least for structured data).

Another area I’m fascinated with is security research- I think that’s probably one of the most important areas of work these days, since vendors are more focused on point problems and getting products out the door. Researchers are the ones that really push us, from the inside, to improve how we do security. Bad guys do it from the outside and force us to just respond, while the research types help us harden what we have and come up with some really creative ideas to reduce future risk.

RN: Good point, but I hope we'll be arguing about data security still. I need another sparring partner. I ended up agreeing with Hoff too much, and we need someone to kick us around a bit.
Talking of the industry as a whole however, what's your opinion at the moment? Where can I make some money?

RM: Overall the industry is a bit “heavy” right now. There are definitely more vendors than the market can support, and a lot of confusion as we try and balance compliance requirements with our actual risk. It’s not that I’m against a lot of vendors and products, but we’re seeing some crazy stuff where someone takes a good single feature and thinks it’s enough for an entire company. Let’s be honest, something like portable device control (USB blocking/auditing/etc.) isn’t a market in the long run. I’m not too worried though, I think this is a case where market dynamics will really take care of things for us. If there’s a good tech out there, odds are someone bigger will buy it and integrate it into a suite of some sort. If it sucks, it will just die. Some of the bigger vendors keep trying to charge more for every widget and don’t do integrations well, but I think we’re seeing early signals that the tide might be shifting, if only a little, on that one. Things are definitely more manageable than a few years ago in certain areas, but increasing complexity and greater adoption of less mature products to deal with point threats makes it hard for us to see that.

We’re also in a confusing time for security pros as the career tracks morph; and that’s something I want to write a bit about.

I think it’s all just the pain of one of those industry shifts that hits every now and then. Melissa and Code Red ushered in the days of network security and AV, and showed us that if you don’t secure the network, you can’t do business anymore. Today we’re seeing the twin attacks of compliance and web application/phishing/data exploits drive us towards better application and database security. Compliance is also forcing some of that professional shift since we’re having to deal more directly with executive management and learn to speak their language.

And it’s not like things will settle- the expanding proliferation of consumer devices and services is forcing us to rethink how (or if) we lock things down. That wave is hitting even before the compliance/data breach wave ends.

RN: You're making me tired just thinking about all the re-training.

RM: It’s all good, just a little painful at times. I like to think of it as job security.

RN: Who’s your favourite English blogger living in Spain?

RM: Uh... let me think... There’s this Bob Oldby dude that’s not too bad. Talks weird though...

RN: Ha ha. Good job there's nothing funny about your name or I'd have you on that.

Thanks Rich for a thoroughly entertaining and informative interview. Good luck with wherever the wind takes you, and keep in touch. I look forward to many arguments.

Endless suffering of the security brains

I started talking about Web2.0 security recently in fairly simple terms some time ago, on the back of something someone else said, just to explain it to myself really. I find it interesting that the Long Tail that is creating such an economic phenomenon, enabled by the web, is causing such a security issue. Then I couldn't help noticing all the attention VMWare has been getting recently, for exactly the same issues. Hoff waded in over the weekend with all sorts of new-fangled words and explanations to make my brain bleed, but the underlying message is exactly the same. Web2.0 security and hypervisor security are evidently very closely related.

Where Web2.0 (and no, I don't approve of the term, but it serves a purpose) is made up applications bringing together data and applications in new ways, to create new workings of the web as we know it, so hypervisors, virtual machines to you and me, do the same in a more localised environment. Thankfully, Mogull's back on the scene, and finished Hoff off before I even woke up this morning, with a "dump the problem to hardware". But it seems that you don't even have to be that concerned about the hardware if you have a reliable secure framework.

The guys at Matasano, more precisely Thomas Ptacek, have all the info on this, which is worth reading a few times. Slowly. And then again. I'm on at least my fifth reading by now, and I learn more each time. By now you will have seen the Black Hat presentation from MC telling how they can always detect the BluePill rootkit, and it is evident that their Samsara offering is THE thing which I said I had no idea how to create. A framework for detecting virtualised malware. How I wish I'd been at BlackHat.

[Note: I find it ironic that Samsara is a term used in Buddhism which can mean not only "cyclic existence" as I believe is the allusion which Thomas et al were aiming for, but also "endless suffering", which may be closer to the truth for them. And what's with all the buddhism/security stuff around at the moment?]

Thomas, having put in what seems like a lifetime of research from the quality of the results, comes to the conclusion that:
"Hypervisor rootkits are not a major threat."
What? Why didn't you just say that in the first place. Why on earth put all that effort into just proving Joanna Rutkowska wrong? Should we all carry on looking at something else...? Hang on!

Hypervisor rootkits may not be a major threat, but Web2.0 security is a huge problem. Can we apply what we know here to "the Internet" as described in my original post? I believe this is what Mark Curphey is trying to do with SourceClear, and I really believe it is the way forwards. I've been a believer in such frameworks for some time, but as Rich will probably point out at some stage, there's really very little in the way of business drivers for such things to be deployed in any great mass.

I'd like to see Microsoft and/or VMWare pick up Samsara/SourceClear and any number of other security frameworks, not to improve business in any way, but to improve the future of security. To make our conversations more interesting if nothing else.

As Rich says, can we talk about DLP again now, or CMF (content monitoring and filtering) as Chris has dubbed it? I've also used this term since because I like it and it seems to describe a much more specific problem. Now I'm satisfied that all of this hypervisor and Web2.0 stuff can be ignored, I'm back to playing with the data.

Saturday 25 August 2007

A bit of news...

I've just nipped out to the hotel bar area to catch up on some email, and thought of something worth sharing. My wife is happy with her pina colada on the sun terrace, so 5 minutes on the blog I should just about get away with. Shhh... no, that's not the thing that's worth sharing.

A couple of weeks ago I got a mail from someone I admire a great deal. Since I've started blogging, he has encouraged me, let me pick his brains when he's got far better things to do, and coached me around some pretty tricky subjects, including his recent departure from a pretty high profile job. Why did I need coaching around HIS departure? I hear you ask. Who the hell are you talking about? I hear you cry. Well, if you stop talking a minute, I'll explain.

One of my very first entries on this blog mentioned how I'd followed Rich Mogull for many years. I still do wherever possible, although Gartner had made that difficult with their "gagging" of analyst blogs. I still regularly make comment entries on his blog however, just so he doesn't forget me. I guess I pestered him enough to talk to me, and when I joined my current company he very graciously agreed to speak to me about what I was doing.

I've still never met Rich in the flesh, we've never been in the same country at the same time since he's known who I am, to my knowledge. However, when Rich handed in his notice to Gartner a couple of weeks ago, he emailed me to let me know. "You may have already heard..." he started. I hadn't, so I was pretty startled to be getting an email of what must have been a pretty personal event. I imagine, therefore, that a few others in the security community got a similar message.

Quick as a flash, with my reporters nose for a story, I asked if I could write something about it. He asked that I keep it quiet until he announced it himself. Someone at Ziff Davis had scooped it already, which was somehow roundly ignored by everyone in the SBN (maybe because Rich emailed us all). But now the covers are off! For 2 weeks I have been biting my tongue and wanting to tell everyone. Well Rich, I managed to keep it secret. My wife knew, but not being in security and although she was interested to meet a rich mogul, I think she was thinking more Hollywood.

As a concession to not getting the scoop, and being good with secrets, I blackmailed Rich into giving me an "exclusive" of my own. When I get back I will be printing a short interview with His Mogullship, which I am genuinely excited about.

That's just one of the exciting pieces of news to come in the next 2 weeks. It doesn't get much better than this, but it should remain interesting...

Mrs. N's just finished her cocktail, so I'd better be off.

Friday 24 August 2007

Just before I go...

Ken Belva posted last week on his policy of using private email conversations as blog posts. I have to agree with him, it's pretty tight to go publishing what someone else has told you in confidence. Anyway, I posted a comment on Kai's post about Ken's original and Ken mailed me to say "ha ha, very funny", and finished it off with: "Naturally this email is confidential unless sold on eBay."

I think I may have just broken the terms of his contract.

Hasta luego hombres! :)

Dunmoanin

You know what? I'm through with complaining for the moment. I actually have it pretty good right now, and I've just arranged for a fabulous weekend away for my first wedding anniversary with Mrs. N.

So, with apologies (and thanks where they've put me straight or just put up with the rant) to Mike Rothman, Evan Schuman, Richard Stiennon, Rory McCune, and everyone else I've inadvertently growled at in the last month or two, I'm off for a rest. I've been under some stress and I've needed to make some changes. I will be revealing some stuff in the next couple of weeks which will make you go "Aha!", or at least "oh, right, stupid sod."

On another note, I've started receiving comment spam, so I've turned off the free for all commenting and everything has to be approved before it's printed. Boring for me, and boring for you, but if some idiots will spoil it for everyone, then the whole class will have to stay behind during lunch. Boo.

The first post after I get back will be an interview with a great man who has just stepped down from a great position, a chance for him to put things over in his inimitable way and tell us what he's doing with his life. The second will be more personal news, which should help tie together a few loose threads that I have left dangling in the previous weeks. If that doesn't tempt you to keep reading, I don't know what will. But first, I'm off for my break...

Don't tell 'er indoors, but I'm taking her away to Sitges for a long weekend. One of the most beautiful towns on the Costa Brava, steeped in history, miles of sandy beaches, and the gay capital of Catalunya. I had forgotten this until after I made the booking, but I don't think she'll read anything into it.

Anyway, I won't be posting anything for a few days, and when I get back I will be filling you in on some of the missing links you'll need to piece together these cryptic clues.

Thursday 23 August 2007

What we've got here is... failure to communicate

Every so often, a story appears and just seems to fit something I've been thinking about. I've used the quote from Cool Hand Luke referred to in the title before, but never before has it been quite as relevant than in the last couple of weeks.

The full quote, just because I like it a lot:
"What we've got here is failure to communicate...
Some men you just can't reach, so you get what we had here last week...
...which is the way he wants it.
Well, he gets it. And I don't like it any more than you men."
What we had last week was Skype being out of service for 2 days, bringing the popular service to its knees. I'm pretty sure that's NOT the way they want it however. Yesterday, there were reports in the Register, under a very similar title to mine, which is why I've quoted it again in fact, about VoIP.co.uk going down for a full day because their PSTN connection was out. Oops.

I used to install VoIP kit in the UK, and although the hardware is pretty robust, there is often complex and constantly updated code inside, due to the nature of the rapidly evolving telecoms market over there. There is very little experience or expertise in this area, and no-one knows whether this is traditional telecoms or IP work for the network guys. I can tell you that from experience, the network guys get it far more easily than the telecoms guys. I once flew down to Lyon in France to "fix" a PSTN to SIP conversion box which had the wrong wire plugged in - by a French telecoms guy. Well, the wire was the only wire available, he'd just configured it incorrectly. Still, weekend in Paris afterwards, not so bad.

Unless it's part of the same SIP network, any outside connection still needs to use the PSTN to get to any other network, SIP or otherwise, so there's a weak link. Until we have interconnecting ethernet (which I've just decided is what I will be calling my band when we start touring...) around the planet, this will always be the case. The bigger problem we are facing now is that our IP infrastructure has been built on our phone network, and now we are building a phone network into our IP infrastructure. The technical difficulties are more of a challenge than an obstacle, but to me this has never made economic sense. How can we provide a free phone service on an IP network which costs less than a phone network than it runs on? Who's swallowing all the costs here? The phone companies. Do the these companies who carry the IP networks who carry SIP really want to give their full support? I'd be interested to talk to anyone who knows the answer. I'm not implying that there is any sort of underhand business going on here by the telecoms companies, but maybe it serves them quite well to see the SIP boys suffering total failure once in a while. You could never run a critical business system on that, could you?

If you take the quote above in its original context, it's pretty evil. The Captain of Luke's chain gang has just pushed him down a hill for trying to stand up for himself, and the Captain is showing him and the rest of the prisoners that their relationship is essentially one of master and slave.

The question is, in this upside-down market, who is the master, and who is the slave?

Tuesday 21 August 2007

Compliance causes arguments

I mentioned yesterday that I would write more about my conversation with Erich Baumgartner at Ingrian Networks. I believe a few of the SBN know Erich rather better than I do as a matter of fact. Erich mentioned that he knows Alan Shimel and Mike Rothman amongst others, in our whistle stop tour of the security community.

I've talked before about how I've worked with Ingrian for much of my career, from when they were a fancy SSL box up until now, when they have their fancy key management and encryption system, DataSecure. I helped them sell their first devices in the UK 6 years ago, and when I moved to distribution I helped them secure a relationship there too. Not that I feel like they owe me anything, I believe it to be great technology, and more importantly, I like working with them. I've always had the opinion that Ingrian's marketing machine is permanently on full steam ahead, and having met with their marketing lead at InfoSec this year, Betty Liang, I can understand why.

Something we inevitably got around to was Ingrian's "60 days to compliance" stance. Evan Schuman printed an article without speaking to anyone at Ingrian, and Mike Rothman waded in soon after, and then again a week later. Erich sounded genuinely hurt when he said "I don't know why Mike didn't pick up the phone to discuss this before going to press".

So to set the record straight, I'm going to attempt to present this from the their side, as explained to me briefly by Erich, and in the style you will be becoming accustomed to in me by now, belligerent Brit that I am. First of all I appreciate Martin Hack's reporting of this from a supportive viewpoint, I think the consultant here has taken this the right way. This is not meant as something which a compliance officer looks at and says to himself: "Phew, Ingrian will do everything for me" and forget about his PCI program. They are clearly addressing part of PCI, and not the whole thing. I don't think ANYONE would employ a vendor to do that, even if they could address everything in PCI with technical controls.

Let's start by having a look at what the press release ACTUALLY says:
"Ingrian® Networks, Inc., the leading provider of data privacy solutions, today announced a 60 Days to Compliance Program to assist companies in meeting the impending payment card industry (PCI) compliance deadline. The new program is designed to simplify the compliance process and offers a start-to-finish strategy that includes: Ingrian award-winning appliances, data discovery of credit card numbers, comprehensive customer training and support, and implementation in order to bring customers into compliance in 60 days or less."
OK, so there's a bit of marketing speak in there, but I think it's fairly clear with words such as "assist", "strategy that includes", etc. It goes on to say:
"Ingrian's new program will help companies worldwide implement encryption, and is especially timely as retailers scramble to meet the upcoming September 30 deadline for the PCI Data Security Standard."
That clarifies things even further for me. Maybe the issue is that it sounds like Ingrian are offering full compliance in 60 days, but realistically I think anyone who cares enough to be attracted towards this type of advertising is going to be savvy enough to work out for themselves that Ingrian is only offering to address the relevant PCI requirements around encryption and key management. I get that this is pedantry from Mike and Evan, and in their worlds everything should be clear and laid out straight down the line, but it's not particularly snappy to advertise a "60 days to addressing the requirements of PCI DSS concerning encryption and key management, as part of a full compliance program", no matter how correct that may be.

I can't see that Ingrian have crossed any sacred security line here. Maybe the issue is that they've credited their customers with too much intelligence? Maybe they've made too many assumptions about the type of research people will have done into PCI before going to look at vendor sites? I'm not sure that many potential customers will just be browsing around and think "Oh hang on, PCI, yeah, I could do with addressing that, ah, look, Ingrian can do that, I'll buy some of them... hey look, a pony!" [thanks Saso for the catchphrase :)]

They've cut back on unneccesary words and made people read their headline grabbing claims. It's a shame that it doesn't seem to have been read it in context, but then maybe this was a deliberate ploy. Free publicity in Mike Rothman's and Evan Schuman's blogs, whether negative or positive, is priceless.

People forget the context they read things in after all.

Sunday 19 August 2007

Who's is bigger?

I had a chat with Ken Belva a couple of days ago over email. He pointed out differences between UK and US airport experiences. In the UK they make a big deal of not threatening the staff, in the US, they make a big deal out of the customers being comfortable. I wonder why this is?

Obviously it must have something to do with the behaviour of people passing through British airports. I pass through one roughly once a fortnight on average, and I have yet to attack a member of staff, no matter how close I've felt to inflicting pain of some sort.

It's a while since I passed through an American one, on my honeymoon to Tahiti we stopped off in LA en route, so it's almost exactly a year ago (Sunday is my first anniversary). I don't remember LAX being anything special, it's quite small for such a well known airport, but they didn't spoil me or anything. I suppose I was comfortable enough, but I recall a very officious security man throwing his weight around and making my wife laugh because "I didn't know people like that actually existed". Maybe it's our perceptions, or rather how the people advertise themselves that are different?

However, I rather think there is something else in it than that. The UK has 2 main airports, you HAVE to come in through one of them if you're coming from the USA. No choice. Chances are, you're tired, pissed off, and ready to eat a baggage handler for rifling through your underpants. There are an awful lot of Yanks in London, and if they're all filtering through Gatwick and Heathrow, the chances are there are going to some staff assaulted, it's a hazard of the job. These guys are so badly paid, they need to be protected or they'll walk. Not that that's an issue of course, because there's always someone else waiting in line for the job, but the airlines have to show willing.

The US meanwhile has many hundreds of airports, some smaller than my living room. These guys need our custom to survive, so they LET you hit them without complaint, bid you "Have A Nice Day, Sir" and enjoy the experience with what remains of their teeth in tact. They don't leave their jobs, because otherwise they'd have to fly to work in another state, or just remain unemployed. The airlines don't care, because there are other people lining up for the job, and they are too busy keeping customers happy.

...

I was chatting with Erich Baumgartner over at Ingrian Networks earlier in the week too (more on this in a later post). Erich really knows what he is talking about when it comes to security, start up business, and business in general. He's the kind of guy that was created out of the 90s internet boom and will always continue to have success, a good friend to have in a 2.0 world (Earth2.0?).

I had just said that technology markets here were typically 4 to 6 years behind those in the US, and Erich had come back with the fact that it was not the case in the mobile industry. The UK is streets ahead apparently, in both products and innovation. I was confused at first, but Erich explained that the US fixed network had been in a very good condition when the internet first arose. The phone system in the UK is still not great, despite constant attention. Of course the mobile networks have a much smaller area to cover. 99.999% of the UK is much more readily achievable than 99.999% of the US. Much of that area cannot be inhabited in any case.

It's just a matter of relative sizes of our countries and the economic sense it makes that decides which direction each takes in their attitude to various markets. That's why I can get away with being grumpy every so often. I like to think of it as my own little niche.

You guys have to be nice, of course, otherwise I'm going to read someone else's.

Saturday 18 August 2007

History repeating

An interesting question from the TechDirt community earlier led me to do some research on the dot com bubble and its subsequent burst in the 90s, and as the question asked, I wondered if there is anything we can learn from this. Are we about to repeat our mistakes in another mad dash for the 2.0 cash?

To précis the situation very quickly, the problem was that dot coms had to be run by very technical people by their very nature, and they drew vast backing from businessmen and women who very shrewdly realised that the internet was a Good Thing. The businessmen also realised, in their shrewdness, that it was going to be a very competitive market to stay afloat in, and without the best business support, the technical guys could have the best product in the world, and it wouldn't float.

So the business guys did what they do best, and spent wads of cash on advertising, Pets.com famously spent $1.2million on advertising during the SuperBowl in 2000, and maybe this is why it is still the Gold Standard for internet business failures. (Editor's note to self: maybe Gold Standard isn't a good description of failure?)

The technical guys, meanwhile, did what they wanted to do with their own little businesses at last, with huge backing from businessmen, they piled massive amounts of cash into Research and Development. It is estimated that some businesses around this time were spending upwards of 75% of their capital investment on advertising and R&D.

Thus the operating costs overtook the income of most of the businesses and they went into "negative profitability", or loss as it is more commonly known. Stupid huh?

Well, with hindsight it would appear so, but the same thing happened in the Gold Rush of 1848 and no-one thought to bring that up. OK, it wasn't businessmen and technical guys, but at the end of the day it was over-competition for a share of a finite pie. So there were still winners, and new pies are being created all the time, Mark Curphey pointed out the other day that one of the first millionaires in the Gold Rush was the chap who sold shovels.

The stock market rise and fall on the back of this was also a repeat of something which happened many years earlier. The South Sea Bubble of the 1720s bankrupted Isaac Newton amongst others, including half the British government of the day, and yet we still don't seem to learn.

There are a host of unanswered questions that can come out of this:
  • Is this just the nature of markets and monopolies?
  • Is there a way to avoid it?
  • How will 2.0 be different now the business guys are technical and the technical guys know business?
  • What's the bearing on security?
  • What's the modern shovel equivalent?
And I hope a host of posts will be spawned from this little nugget. I'm not going to start going on a long ramble because it's late over here and it's the weekend, and I'd like to hear some other people's opinions before I go any further.

I just wanted to share some stuff I learned today. Interesting innit?

Friday 17 August 2007

What's next for security?

"I do agree that the low hanging fruit of security has been picked and now it's more about constant improvement. So we are unlikely to see many (if any) truly innovative solutions out there anytime soon. Of course, I can (and have been) be surprised, but it feels like we are stagnating a bit as an industry. Which kind of makes sense because the reality is security should be a feature of everything we are doing." - Mike Rothman.
I don't 100% agree with Mike on this one, but I see where he's coming from. Richard Stiennon called both of us old men, just as I was forming some pretty neat ideas...

I posted earlier in the week about the new data breach laws coming into effect (hopefully) in the UK soon. Having done a little more research on it this afternoon, I found the notes from Bruce Schneier's interview with the select committee on Science and Technology (on Light Blue Touchpaper's article).

Bruce touched on a number of interesting areas, and kept it easy to understand without missing anything. I was impressed. Something which interested me a lot, due to recent conversations around the blogosphere was his notion that current security trends could "spark an industry in sandboxing... So if you are writing this piece of software and knowing that you cannot guarantee it is secure but want to sell it anyway, maybe there is an after-market product where you take your software, put it in, wrap it around, and that provides the security. To me, as soon as you set up these economic incentives, capitalism just solves the problems. Innovation is going to work. There will be hundreds of security products, of security add-ins, of security toolkits."

This brought to mind something Mark Curphey was talking about last week. He talked about the first millionaire in the California gold rush, not making his money from gold, but from selling shovels. I know Mark has an idea around the long tail of security, and he broadly agreed with my analogy of Web2.0 security from last week. So, could this be his plan? Actually, I don't want to know, if it is, I don't want to give the game away. I haven't got the first clue how you would go about making a sandbox for all the current aggregators (Facebook, MySpace, LinkedIn, etc.), and the smaller apps that plug into them. It fits in nicely with my analogy of the long tail of security though. Now the 'house' (aggregator) and the 'extension' (plug-in app) are put into modular cubes which can fit on top of each other. This would make sense if the 'cubes' can be marked up properly for their properties and interaction with others.

I absolutely think this is where security will grow next, but how it will be achieved is a different matter. It's hard to achieve. It's like VMWare for security, and the platform doesn't exist yet. Mark's on his way to creating this and will no doubt do very well from it again.

Thinking outside the box, or network device, is something which is going to become ever more important as we move forwards.

Are we missing the point?

I'm a big fan of encryption, always have been, always will be. I'm a fan in much the same way I'm a fan of crosswords, and used to spend hours playing with Caesar ciphers as a child. I was disappointed when the InfoSec Europe 2007 website didn't finish their puzzle series, I was on the leaderboard until the very last puzzle, which I just couldn't work out... and still can't, so I know I didn't come anywhere near winning, which I could care less about, but I REALLY want to know what the answer to that puzzle was...

I've worked with a number of encryption providers over the years, and spoke recently with Voltage about their elliptic curve identity based stuff. It's all very clever, but as with all encryption I'm beggining to wonder if we really need to be spending so much time working out new secure methods of obfuscation, or tying up the entry points.

To anyone who has spent any time in this area, this will seem simple, but I've read a number of articles this morning about encryption (in the name of research), which imply that this is not common knowledge.

I'd love to spend the next 4 hours telling you about everything from Diffie-Hellman to ECB, CBC, IVs and all manner of other TLAs. I don't have enough room on the blog and you don't have enough patience however.

The problem is, even with the strongest encryption in the world, if I have your password and account details, I can see that data. Data security doesn't just sit in and with the data, it is totally dependent on user security. The fact is that there is no such thing as unbreakable encryption. Given enough time, and an infinite number of monkeys, I could break anything you provided me with. Sure it might take 1000 years with a million PCs, but it's not unbreakable, there is no fully secure encryption method, and thus it must be or we wouldn't be able to decrypt.

Also, access controls are probably about as good as they're going to get. We can polish the management of them, but you either let someone access the data, or you don't. What aren't so good, and what really needs educating about a lot more, and soon, is user security.

If we had this implemented properly in our networks already, we'd be a lot more secure. Two-factor is just about strong enough for corporate use in my opinion, single factor should be reserved for blog comments and signing up for demos. Banking should be as tight as possible.

I appreciate that there are people working on AAA to address these issues too, but isn't it time we had an end to end message for the clients and users of the systems. Security is way too confusing for most people, and we're way too busy to educate on every part of it aren't we? Well, if we make the time now, I have a feeling it will make our lives a whole lot easier moving forwards.

And hey, we might actually learn something ourselves.

"VMWare innocent" shock?

VMWare have been pretty much permanently in the news for the last few months, years even. I can't even remember when I became aware of VMWare even, it seemed so ubiquitous so quickly that I assumed it was just another techie toy that I had missed in my pursuit of truth and beauty through security. What do you mean I did it for the money?

Earlier in the week The Economist was getting all mushy about how VMWare were revolutionising IT again, creating another internet boom. Well, maybe when the bandwidth is available, eh?

The fact is, VMWare have been pretty lucky with their invention, they hit the market just when people were beginning to wonder how they could get more out of their struggling infrastructure without having to invest the same money all over again. Then all this Web2.0 thing got fashionable, you know, building things on top of things, and suddenly people really "got" what VMWare was.

It seems that VMWare may have forgotten however. Yes, like everything else on the market, VMWare runs on a Linux kernel:

"VMware uses two kernels that run directly on the hardware; the vmkernel and vmkmod - a Linux kernel. Because a computer can only run one kernel at a time, the job of VMware's Linux kernel is pretty basic. It's only purpose is to boot the vmkernel. The only way to load vmkernel is through vmkmod, and vmkernel requires Linux — which essentially means that when ESX Server boots, Linux is its kernel."

Very concisely put, and simple to understand for a layman like me too, thanks "The Register". Now I'm no expert on GPL or any of the stuff around it - which is why I did a bit more digging. It struck me that pretty much every device (yes I know VMWare isn't a device) on the market has a Linux core of some sort. Do they all pay royalties to Linus? Is it only when they become successful that they have to comply with the law? Does everyone already comply?

I know a few people will be saying: "Of course everyone complies numbnuts, you have to agree to the license before you can use it at all." I don't like those people, they're bad to me, and I'm trying to read.

If you dig deeper you find that "if your work is a derived work of the Linux kernel, then it must be released under the GPL. If it is not a derived work of the kernel then you can do whatever you want with it" i.e. if it runs on Linux, no problem. If it is basically altered Linux, problem.- from the Slashdot forum linked below.

As one contributor commented on Slashdot:
  • Wait for big, innovative company to IPO.
  • Watch as share price goes up 90% on a day when the Dow is losing 100 points. Feel bad I don't work for that company. Boo.
  • Blog about possible copyright violations that would surely bring down EMC or VMW. Make investors nervous. Buy low.
  • Profit.
I'm not so sure that it's that steeped in conspiracy, but it does put a different complexion on things. It's good that the Register and other publications print stories like this, because it gives conspiracy theorists a place to congregate. It seems that VMWare have been roundly ignoring all accusations of copyright/copyleft breach however, and if I were their company lawyers I would advise that too.

Sadly, much as I like a fight against the big mean ugly software superpowers as much as the next right-on left wing downtrodden sandal wearing hippy, I can't find a reason to prosecute.

Thursday 16 August 2007

Who's watching my data?

The following article was one I submitted for the InfoSec show programme in the UK this year. It was not printed, but appeared on several sites immediately afterwards, which was really the start of my interest in reporting on security. It was originally titled "Who's watching my data?", but has also appeared under other titles. This was my original title, so I'm keeping it real...

I can no longer find it online, only cached by Google, which isn't the same thing, so here it is reprinted for posterity, and to massage my own rapidly inflating ego:

Who's watching my data?
In a networked world, are we protecting the right thing?

To be successful, a business must make money. Increasingly this money is not just cash being transferred between organisations. This valuable information takes many forms, a business’s IP, a bank’s customer details, a retailer’s credit card information. In the real world, we can see that cash is cash; we trust it because we can see it and feel it. Other items that we buy with our cash, we only buy when we are satisfied by the quality, look, feel, taste, etc.

We can restrict access to the things we hold valuable to our organization; we can encrypt our data and ensure all access on the network is to the correct users. We can even pass data across the hostile internet in trusted encrypted tunnels, but there is never any guarantee that the data we receive is the same when it was sent. In short, we could be being “sold a lemon”.

For complete integrity we need something which follows the data. This “data-centric” approach is the only way in which we can truly trust a transaction of any kind performed on a network, by its users. Transactions can range from the simple: logging on, accessing a file, to the more complex: trading shares or buying a product from an online trader.

The only technical solution that currently exists is digital signatures. This requires some form of PKI, at the very least a trusted key for each data holder. This gets expensive, and as anyone who has tried to administer a PKI will tell you, it leads to other headaches. What do you do when someone leaves a company? You can revoke certificates, but the revocation is never instant, and fraud only ever happens when there is the opportunity for it to happen. If a digital signature is broken, you cannot trust any of the data it applies to. And you don’t know where the data has been changed.
The C-word

The very mention of the word “Compliance” has many network administrators putting their head in their hands. Regulations such as SOX, J-SOX, HIPAA and PCI DSS, although originating in the United States and Japan, are now being felt in Europe. PCI DSS applies to all retailers processing credit card details, but is easier to enforce in the United States with the backing of California Senate Bill 1386 which in simple terms says that if a breach of data occurs on a network, the breach must be made public knowledge.

As subsidiaries of American and Japanese companies have to comply with SOX and JSOX, plus other industry specific regulations, so do those that do business with them. The truth of the matter is that compliance is there for a reason: to ensure the security of the customers using our businesses.

In November 2007 a committee will sit in the European parliament in Brussels to discuss a new disclosure law, following the same lines as SB 1386. Suddenly these regulations will have a new set of teeth, the backing in law and the ability to apply large fines for allowing a breach to take place unnoticed.

How do I protect my investment?
A more granular approach to data integrity is needed, in line with the data encryption and access controls that accompany it. These solutions need to achieve the same level as user and network integrity solutions, or they are the weak link in our security. When the integrity of data is in question, we need to ensure that more information is not lost, complete transactions can be reconstructed and the source of breaches discovered before they become financial losses. As data-centric security becomes as important to businesses as user, perimeter and network security, this is an important part of security which will need to be addressed before we can say we are truly safe from information loss.

Elliptic curviness

I had the pleasure of catching up with another employee of Voltage this week. They, or rather their PR company, are really keen to get their name out in the general populace. So, I've decided I'm going to be your self-elected Robin Hood for the time being, man of the people that is, representing the proleteriat (OK, I'm sounding far too much like Karl Marx here), not stealing from the rich to give to the poor (necessarily, although I might have a go later.)

The guy I spoke to this time endeared himself to me immediately by asking "Are you the Rob Newby that's in the Wall Street Journal today? Or is that a fake Rob Newby?"

"Yes, that's me", I glowed quietly (can you do it any other way?), and realised I was being an arse, albeit privately. So then I got down to the business in hand, and asked him all about what's going on at Voltage. You will know if you read my blog regularly that I am a bit of a data-security freak, what you may not know is that I am an encryptionophile (is that a word?) too.

It took me a little while to get my head around elliptic curve crypto, but then relating it to identity based encryption was pretty simple. I like the idea, but I was curious to find out where it can/is being used to greatest effect. My suspicion is that these things aren't going to be used widely in file and database encryption for example, which is really my background.

It seems that the most traction these days is with email, on an enterprise scale. I can imagine this stuff scaling up well in an enterprise environment. But Wasim was keen to emphasise that they were very excited about the application and database security developments. I know from experience this can be a hard area to break into, and there are plenty of well established vendors in this space already.

My main question to him centred in on this somewhat. "On the website, you seem to cover pretty much EVERY aspect of encryption, laptops, email, databases, etc. How do you segment for your sales force, and do you think you might be overstretching?"

I wish I'd recorded Wasim's answer, because it was much more interesting than what I'm going to repeat, but he basically said that they are doing a broad sweep at present to see where the interest is, but they already have a number of large customers across the globe, in each of the areas they talk about.

I'm really interested to see where encryption goes next. I like elliptic curve, and I'm watching key management to see what direction it takes next. Sun's publishing of it's APIs doesn't seem to have made a huge splash yet, but it would be good to see a common format for sharing keys across diverse infrastructure.

We also talked briefly about SISA, which I talked about last week. It seems they are currently in talks with the SISA gang to see if they can also get on board. This would be a great advantage to them of course, akin to backing from Microsoft and Cisco.

Thanks to Wasim for the interesting chat, and best of luck for the future, I have a feeling we will be coming across each other again soon.

Wednesday 15 August 2007

Fame and misfortune

My fame is spreading quicker than expected, and not particularly in the way I would have liked. Richard Stiennon called me an old man a couple of days ago. I only picked it up because Alan Shimel made a reference to it. And even then he called me Ron. :)

I guess I should be happy to be referenced by Richard and Alan at all, but the fact is, I'm not so old. I'm 31. Rothman's far older than me, and Alan, not to mention Stiennon himself. Ah, so he said I "sound like" an old man. Perhaps I should take that as a compliment coming from an old man of security like him?

OK, I've been in security a long time, and my post the other day about where security is heading may have been rambling, but that's because I really have no idea what's happening at present! It certainly wasn't a complaint as Richard seems to imply. It was a request for feedback if anything, a postulation of several hypotheses for some extra scientific input from field scientists, you guys. My thinking at the moment is that whilst there is an element of convergence, there is also massive divergence, and that's being caused by vendors (like myself and Richard).

When he says I'm tired of my own industry, yes I suppose I am. That's very specific though, "my own industry" is very much tied to vendors, network security, and the marketing bullshit that comes out of that area. It's been very much device orientated. I'm tired of FUD, I'm tired of compliance being confused with technical specifications. I'm tired of the same mistakes being made over and over again. Yes I can be short-tempered with people who I find ignorant, who repeat misquoted statements as fact ("70% of attacks are internal"), but if someone crosses or questions me, I have all the patience in the world. I like questions, and I like answers, but if somethings going nowhere, I want to kick it and get it moving.

There's far too much criticism and one-upmanship going on at the moment. Maybe the old guard is feeling threatened. I'm not a guru, I don't want to be. I'm no expert, I'm a trained professional, like all of you. We need more of a community, like Michael S's (I'm not attempting that surname) Security Catalyst Community for example, where everyone is equal, and encouraged to share. If someone says something incorrect, we teach, we don't criticise.

I never thought I could avoid rudeness through blogging, but I didn't expect it from here.

Integrity interest

I've been seeing a bit more interest in integrity in the past few weeks, and was pointed in the direction of a Slashdot forum where a method for log protection was being discussed:
"Recently I was asked by one of the suits in my company to come up with a method to comply with the new PCI DSS policy that requires companies to have write once, read many logs. In short the requirement is for a secure method to make sure that once a log is written it can never be deleted or changed."
The question here is based around PCI DSS requirement 10.5.5, one of the more difficult technical requirements to fill, but there are other, more obvious reasons for protecting the integrity of your data. I recently spoke to a vendor of security software for surveillance cameras. They want to be able to use their software to prove beyond doubt that the digital pictures it is capturing are "real". They need something independent that will prove that for them. It's a tough nut to crack, because they don't control the camera input, so they can't just stick a certificate in the camera chip and sign every image as it is created, only the DVR (digital video recorder) box that collects the pictures.

Having spent the past 6 months researching data integrity, I can tell you a couple of things about it, but I was still astounded at the sheer number and diversity of responses that the PCI question received. You will see from the title that it also applies to HIPAA and SOX. This is quite right, there are few regulations that integrity does NOT apply to in fact.

The topic is still only 15 days old and has 380 comments, most of which were posted in the first couple of days. They have covered everything I have come up with as competition to commercial integrity software, and some others straight out of left-field:
"Connect a line printer to mirror the log file as it's created. Use continuous fanfold paper. Get staff to sign and date first and last page. Lawyers love paper. (A magistate once asked me if a printout I presented in a case was an "original email". I said it was as close as you could get.) In all likelihood, no one will ever refer to it, so don't worry about that it might take 10 minutes to find a page. Once a month, ship it to a secure storage. For real paranoia, have two printers making two simultaneous copies."
A word to the wise, DON'T use paper. Your admin will be able to see it printing off and, well, if I'd been log-tampering I'd just burn it, wouldn't you?

Other more sensible suggestions include:

DVD jukebox: This is slow, and not fully secure. A DVD will ensure the integrity of data as it was written to it, but unless you can confirm that the DVD was the original DVD which data was saved to, you cannot guarantee the integrity of the data sent by the application.

EMC's Centera: EMC have had issues with this not being all that it's cracked up to be, and at hundred of thousands of dollars per terabyte, you're going to want something pretty damn good.

syslog-ng: Fine as a delivery method, if done over a secure channel, but once it is in storage, you have the same issues.

Homegrown solutions: This is the point of the post. The guy wants to write his own solution to address the problem. One word. DON'T! If you write a solution to address regulations and it works, great. If you write a solution and it fails, it's not your ass on the line, but your boss's, and his, and his, right up to the CEO. Better to pass off that responsibility to a company who have written a commercially available solution.

Timestamping: On the surface this looks simple and useful, underneath the covers it isn't. For timestamping to work you need a secure time source. To get this, you will need an HSM, your costs have just risen by $20k before you even install the timestamping software.

So, obviously as the Product Management Director of a data integrity software company, Kinamik, I'm going to find holes in everything that isn't commercial data integrity software, but I'm where I am because I believe in it, not the other way around. It's worth doing, it will save you headaches, and give you peace of mind. If you encrypt and provide access controls and integrity to you data, you have very secure data.

Information sharing environments need integrity proven, to show that no-one has tampered with data on it's way to you via half a dozen points in the network. Cameras, as above, can use this. How about telephone logs? Medical databases, HR databases, finance, etc.? There are a hundred different applications.

I write about this all day everyday, and I just wanted to share this with you as I've found it very interesting so far. I will write some more about how useful integrity is another time (and have done previously). I noticed another post on the SBN last week which mentioned a similar issue. I offered a hand, but have not had any response as yet.

We are still looking for reference customers in the US, and I'd be happy to talk to anyone about it.

Monday 13 August 2007

Compare and contrast - WSJ article is out

Well, it's not quite what I had in mind, but it's better than the last one: here is the article I've been waiting for, compare and contrast with my input here. She changed my password section, so there is no longer mixed case, and anyone using the password MICR0S0FT should be executed. But it doesn't really matter because she hasn't credited me with anything except "how to create shortcuts" at the end. The years of training and management were so worth it.

If I had to submit this much to get that much recognition, I'm wondering what Robert Lamm, mentioned at the beginning had to do. Oh, maybe I shouldn't think too hard about that, might put me off my breakfast.

Well, it's not the great apologetic article I hoped it would be, but it's not totally awful, I guess I should be pleasantly surprised as I was expecting to have to change my name and emigrate today.

Newsflash: Journalist prints article, life goes on as usual.

So I'm not going to get famous for that one, but maybe someone will have a stronger password, or be less stupid about using email on your network. You'll never know I suppose, but you may just have me to thank. You can take me out to dinner next time I see you. :)

Next time you see me in print will be over on Kai Roer's blog, which I'm looking forward to far more. He showed me a transcript yesterday of our interview with an introduction where he said that I "can make people tear their hair out of their head", which is picturesque if nothing else.

Apologies to those who I have made tear their hair out, especially Kai, who seems to have gone further than most. Sorry Kai, couldn't resist that one. :)

IT dos and don'ts: my submission to the WSJ

I've just been informed by our friend at the Wall Street Journal, Vauhini Vara, that her next security article is running on Tuesday, with some input from your humble author. I have to admit I'm still a little nervous. So, here is my version, unaltered, with references where I've taken chunks of text from other people's sites.

Vauhini asked me for "tips that employees can use to do a better job using IT without violating company policies". I interpreted that into my own personal list of dos and don'ts. Some you may find horribly familiar, some you may disagree with, in other cases the examples may not be spot on. I'm sure you'll all be able to find something to criticise in fact, but for me this was about security awareness rather than the exact technical reasoning for each case.

Whether she uses all or any of these is up to her of course, she may not use any of it at all. Either way I hope to breathe a sigh of relief at some point tomorrow.

So here goes nothing:

  1. Passwords:
    1. Don’t keep passwords on a post-it note on stuck to your monitor, if someone has your username and password, they can masquerade as you and anything they do on the network is then your responsibility.
    2. Don’t make your password a name (of a pet or partner for example). Password crackers use lists of names to break into poorly protected accounts.
    3. Do use passphrases to remember your password, for example: “Vauhini is always safe for work” becomes “Vias4w”. This will help you remember the password and avoid the need to write it down AND makes it harder for crackers to discover by brute force.

Example:

LexisNexis 2005 – In September 2005, the company discovered 59 incidents of improper access to the data. Perpetrators used computer programs to generate IDs and passwords that matched those of legitimate customers. In other cases, he said, hackers appear to have collected IDs and passwords after using computer viruses to collect the information from infected machines as they were being used. 310000 users of the LexisNexis database were potentially affected.

[NOTE: This is taken from Milton Sutton's Security Breach Notifications paper, here.]

  1. Internal documents:
    1. Don’t send huge files over the internal network via email. This will slow down the mail server, and if there are many parties working on a document and they all “Reply to All” each time it is sent, the mail server can be put under enormous strain unnecessarily.
    2. Don’t just change things in documents and expect the other people editing it to magically know what you’ve done, or accept it.
    3. Do keep files in a centrally available storage space which everyone working on the document has access to. Restrict access to any other parties accordingly.
    4. Do switch on “track changes”, so that when any user makes a change or a comment, it is recorded and logged.
    5. Do assign an owner of the document who can review and agree to all changes, make the necessary rights changes and say when the deadlines are supposed to be for edits.

Example:

A company in the UK was renovating a toilet in their head office. A helpful PA sent plans around to each of the directors asking for feedback on the attached plan. This plan was around 8Mb in size, not huge, but enough to incur a wait to download, even on the local network. So, whilst 8Mb to 8 directors caused a barely noticeable twitch in the network, what happened next shows the with sending large attachments, even of a relatively small size as 8Mb.

The directors all replied to the email, each of them copied in each of the other 8 directors, with the plans attached, with their adjustments made. 8*8*8=512Mb. Now half a Gb of information was travelling through the mail server. A slightly longer delay took place, but everyone eventually got their mail. The managing director emailed all 60 employees of the company for their feedback. After the struggling server mailed out 60*8Mb of plans, EVERYONE in the company mailed back their version of the plans, with EVERYONE in the company copied in, these copies were returned each time one managed to squeeze through. N*60*60*8 = mail server death. The mail server crashed and all the plans were lost. Eventually a meeting was held, and the plans discussed on paper.

[NOTE: I remember reading this story sometime last year, and it stuck with me because it's so stupid. If anyone has any reference for it, I would be very pleased to hear from you.]


  1. Storing files:
    1. Don’t store all your work files on your local machine. This is a hard one to remember, especially if you are very mobile, but laptop theft is the number one global cause of data loss.
    2. Do store private work files on central storage inside your company, and not on your local machine. If you need to take confidential documents home to work on them on a laptop or other portable storage device, make sure the document is encrypted in storage.

Example:

Merill Lynch, August 7, 2007: A computer device apparently was stolen containing sensitive personal information from Merrill Lynch, including Social Security numbers of some 33,000 employees. It was not encrypted.

  1. Reporting incidents:
    1. Don’t waste your support team’s time with pointless calls. Check everything before you call up. I worked on a helpdesk many years ago, and about 75% of calls were for network printers around the (very large) building not working. Around 50% of these were solved with the words “is it switched on?”
    2. Do check everything you can think of before calling up. The more information you have about the problem you are reporting, the more chance there is that it will get fixed, and the quicker the helpdesk will be able to respond.

Example:

The place mentioned below charges about $100/issue for tech support:

  • Tech Support: "So what can I do for you?"
  • Customer: "I'm trying to run Live Update with Norton, and it came up to a screen with a list of updates, and it says 'Next.' What do I do?"
  • Tech Support: "Did you hit 'Next'?"
  • Customer: "Oh, it's working now."
  • Tech Support: "Anything else I can do for you?"
  • Customer: "No, that's it, thanks."
[NOTE: This exchange is taken from the RinkWorks site. Have a read, it's very funny.]

  1. Email usage:
    1. Don’t reply to spam mails under any circumstances. Sending “unsubscribe” to a spammer is fruitless. This lets the attacker know your address is valid, and will not stop further mails, but more likely increase the amount of spam you receive.
    2. Don’t get sucked in by hoaxes. Every time there is an event, especially one which pulls on your heart strings, a callous spammer will try to take advantage. If you are asked to send a chain mail to help find a lost child, support cancer awareness, etc. don’t send it on. If you are in any doubt, look up the text of the mail on a search engine. If it has been caught as a spam already it will show up on various websites as such. Many chain emails threaten a horrible fate if you do not, don’t worry, this won’t happen.
    3. Do report spam and phishing emails to your administrator so they can be filtered out. Do report phishing emails to the institution they are purporting to be from.
    4. Do switch on email security. Disable links in emails until you specifically choose turn them on. Spammers and phishers often put active links inside emails so that when they are read it notifies them. They then know your address is a legitimate one and will continue to send you trash.

Example

The “Love Bug” virus of 2000. It is estimated that the so-called "Love-Bug" email virus caused some $10 billion in losses in as many as 20 countries. The virus was originally distributed in an email with the subject line "I love you". The message contained the text "kindly check the attached LOVELETTER from me" and an attached file called LOVE-LETTER-FOR-YOU.TXT.VBS. If this attachment was opened it replicated itself and transferred itself to all addresses within a user's email address book. The virus also deleted graphic files ending with the letters jpg or jpeg, and altered music files ending in mp3 to make them inaccessible.

[NOTE: This is taken from the World Socialist Website.]

  1. Downloads:
    1. Don’t download anything from sites you do not trust. Check with your IT department if you are not sure of the trustworthiness of a site.
    2. Don’t visit porn sites or cracking sites at work, they will almost certainly contain viruses.
    3. Don’t install any software on your work machine without checking with IT. You probably won’t have rights to anyway, but even attempting to can launch viruses which are not necessarily detectable by your antivirus.
    4. Do assign a dedicated machine in the office for downloading, off the shared domain. If there are any problems then the single machine can be isolated more quickly than if it was part of the network.

Example:

In 2005, a website “msgr8beta.com” was set up, purporting to have the leaked version of MSN Messenger.

However, the download offered from the Web site did not contain Messenger code. Instead, clicking on the site download links installed a virus and caused Messenger to send download links for the malicious site to IM contacts. The virus also connected infected machines to a remote "botnet" that was used to issue commands to the infected host.

This type of attack has been successfully used to bring web services to a halt in many companies, and more publicly a complete denial of the content filtering service of Akamai in 2004.

  1. Social engineering:
    1. Don’t let your guard down when it comes to personal information.
    2. Do question people if they ask for any personal details over the phone or in person. For example, banks will not ask you for your password or PIN over the phone.

Example:

AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. In that case the caller contacted AOL's tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network.

[NOTE: This is taken from Audit My PC website.]

Choicepoint 2005 – Scam artists found their way into computer systems, gaining access to personal data on about 145,000 people, resulting in at least 750 cases of identity theft.

And finally… always be aware of your security policy. The biggest issue with problems relating to IT and Security in the workplace come through ignorance:

Security policy:

  • Don’t ignore your security policy. It’s there for a reason, and if you are aware of it, you won’t get caught out.
  • Don’t think penalties for breaching policy will not be enforced.
  • Don’t think you won’t get caught. IT systems are full of logs which can be searched for many months or years after an event.
  • Don’t rely on a plea of ignorance if you are. Just because you aren’t aware of the security policy, doesn’t mean it doesn’t apply. The penalties are still there, even if you don’t see them.
  • Do take time to familiarize yourself with the company security policy. Make others aware of it if you think they are in breach.
  • Do report others’ breaches to the administrator of the network. You will be able to do this confidentially, and the administrator will know of ways to keep your identity safe.
I'm sure I've missed stuff, and I expect I've made errors along the way, but hopefully Vauhini's superior reporting skills will weed out any of the inconsistencies...

See you at the showdown. Just remember, I did it for Security, not the fame.

Can someone save a copy for my Mum? Thanks.

The good, the bad and the ugly

Emergent Chaos and Light Blue Touchpaper beat me to it today, but this is good (and I have a better title). The House of Lords in the UK is saying that data breaches should be reported, a la SB1386. We desperately need something like this to bring badly secured sites under control.

However, although the Lords can pat themselves on the back for that one, the rest of our illustrious government cannot be so smug. An independent report has concluded that there is a general lack of security in Government, so much so that they are not yet ready for inter-departmental information sharing using the current infrastructure. Imagine that, a British insitution being described as inadequate... this is bad.

None of this surprises me one bit however, I've been talking about the data breach proposal for months, and am still expecting it to come in around November. As for information sharing in the government, hmm. They can't even keep their trousers on most of the time, I wouldn't trust them with a laptop.

No, what I've spotted as a worrying trend, and one I hope to high heaven will stop as quickly as it seems to have started is the likening of the internet to "The Wild West".

I wasn't there, but I've watched films and read books, so have a reasonable idea that the Wild West was a lawless barren wasteground filled with amoral thugs and outlaws. This is where the allusion to the internet comes from obviously. However, that's really where it should end. Nowhere in the Wild West did we see a long haired weirdo in sandals beat a spotty bespectacled geek at Halo, Billy the Kid did not hang out on Facebook, and Butch and Sundance could have hidden forever in today's wildest corners, Bolivian army or none.

I realise this comes from laziness, as most cliches do, but can we nip it in the bud, before it gets ugly?

Thursday 9 August 2007

Long tail security analogy

My wife saw something on the BBC website about a new mashup search tool called SPOCK and asked me all about the security of it. Obviously I made stuff up because I didn't want to admit I'd never heard of it, and then waited until she'd gone to bed to read what I could find. Such is the way of the husband.

The BBC had this to say about spock.com:
Spock.com, which launched today, also trawls social networking sites. The search engine claims that it currently has more than 100 million people indexed, but like Wink it has big ambitions. Its co-founder Jay Bhatti told the news agency AFP that he hoped it would eventually be able to provide a search result for everyone in the world. Spock.com, like Zoominfo.com, Wink.com and other search engines such as ProfileLinker and Upscoop, allows users to take control of their profiles. Rather than letting the fate of your profile be left down to what is written about you on the web, the sites allow users to amend, update or add new information about themselves.

But what if you do not like the idea of this kind of information being available at all?

"The caveat today is be careful what you post" - Alan Chapell

Quite, but I'm really nervous of this type of thing. Not because I have anything to hide, I wouldn't blog if I did, but because of how all of this is being 'grown'. WebAppSec isn't something I have a great deal to do with, there are far better men than I in this area. Jeremiah Grossman is the king of these pages, for good reason. To be clearer why I don't like the idea of this, it's nothing to do with my personal data. I'll happily tell you who I am, my NI number (Social Security equivalent), email address, birthday, credit card details, convictions, etc. They're all available online anyway (I expect). I've had my identity stolen before, and although unpleasant, it's simple to recover from.

No, the reason I am upset about it is the same reason Jeremiah would be upset, and I explained it to Mrs. Newby with the following analogy:
Imagine someone has built a house, which they are happy with, and use a lot, and I realise that I could get some use out of his house by building something on top of it. I don't know what his house is made of, where the supporting beams are, any of the internal dimensions, I just see that his wife is happy and I want a piece of that. So I decide to build an extension on his house, so that I can get some of his homely goodness. I build my extension out of bricks, knock a hole in his house to allow me access, and make big enough for me to allow 100 visitors a day in through MY new entrance.

Now, if his house is made of bricks, the wall I've chosen is not supporting the house, he has a hallway big enough to accommodate 100 people at any one time, and doesn't mind me being there, great, we're all fine and dandy. There might be a few holes to patch up between my building and his, but we'll call the consultants in to fix these.

If his house is made of sticks (unusual I know, but this is an analogy, bear with me), I've just knocked through his reinforced bamboo joist, into his main living area which is only big enough for him and his wife, then we're in trouble. So is he. The house will collapse, my extension will at the very least be useless. His wife certainly won't be happy.
So, you see how I cleverly turned that into a "keeping the wife happy" story, just to keep my wife happy? That's the secret of analogy my friends. It also explains why I'm nervous about Web2.0, absolutely positive that Mark Curphey is right about the long tail of security - it's where we're going to have to fill the gaps, or make sure the "houses" are stable enough in the first place. Maybe I'll have to learn a bit of WebAppSec after all...

One last point my wife just mentioned. Why is spock.com invitation only? "It's not like it's a school disco or something. They SO want everyone to join." - Mrs. N.

Yes my darling, I expect they do. I can't imagine a reason why they wouldn't at least. What good can it possibly do them to only invite a select few million people? Well, you can apply to be one of those people, so I don't really think it's that exclusive. I imagine this is also a publicity stunt. It also helps when people ask them how many users they have if they have a capped limit. I don't think this site is really going to work, but it's helped to illustrate a point.

Where's security going?

I'm having flights of fancy, as I often do after reading Jon's Network. Today he talks about network devices needing more interoperability. Now I know Jon works for a reseller who shifts a lot of network devices in the US, just as I used to in the UK. It's interesting to see the patterns which the market follows, occasional panic buying of the latest fad, long periods of nothing for vendors who are out of fashion, but if you remove the peaks and troughs, it's otherwise pretty random.

Newflash: People buy kit when they need it.

So, when Jon talks about having a generic platform on generic hardware that we can turn into whatever device we want, anywhere in the network, that would make sense wouldn't it? I can't see any device vendors agreeing with this somehow. I can hear them all cringing in fact, because they will know, as we do, that their balance sheets aren't looking as healthy as they were 5 years ago.

I've seen the market really slow down recently. Mark Curphey talks about the long tail of security. The truth is, the short fat end of the beast is already full to bursting, the long tail is all that's LEFT of security. The bloated security pig has gorged on overweight, slow moving devices for a long time, and now it's just full of the skeletons of long dead technologies which it needs to dispose of. [I should just note here that the pig/beast I refer to here is Security, not Mark.]

Nice analogy, but does it mean anything?

Truth is, I don't know, and I could argue myself into the ground on this one. The theory is right, but the practice will be far different. People will not shell out on generic hardware when they don't need it. Businesses invest in hardware when they have a specific issue to address. If device A can fix that ten times faster and better than device B for the same price, the business will buy that, regardless of whether device B can boil the kettle and make toast too.

Generic hardware will not be trusted to do a better job if it's doing more than one. The only way the platforms will ever become more widely adopted is through open source. The hardware I suspect will be recycled as virtualisation technology takes over and the hardware is less important.

Of course this has ramifications for distributors and resellers. Theoretically the hardware market should reach a plateau, the software market should go open source, and the only products left will be low margin niche add-ons. If this happens, the only money is left in consultancy.

This feels familiar to me, when the hardware market collapsed in the 80s and IBM had to make a spectacular change of direction (read IBM Redux for the full story, quite amazing. My father was quite senior in the UK arm at the time so I knew a little bit about it first hand, they were worrying times). This was due to everyone else jumping into the hardware market and Microsoft cornering the operating system of course. But this isn't so different to the way things are now. The hardware market is already saturated with as much kit as can usefully be sold, only replacements are left, and only a change in the way it is used can make any sense in getting more value from it.

IBM became very good at consultancy of course, and investing in smaller companies to do specific tasks. Kind of sounds like Web 2.0 to me. I think IBMs model is sustainable... :) They seem to have done a pretty good job of staying alive so far! This seems to be the only way of riding out the changes in the market that we are seeing. So should we all be consulting?

Well no. The only way we are going to make any progress at all is if there is some variety. We need to be talking about standards so that the things we are fitting into the long tail can all talk to each other as Jon says. XML may not be the best tool for the job, but I think this is just an example of a very flexible standard, there are plenty of others.

I can't help thinking that we need to be moving towards software solutions rather than hardware, it should all be about presenting the customer with choice, and there's no real quantum jump in this for the clients.

The only problem it presents is to hardware vendors when the massive margins disappear. Some hardware vendors argue that they need specific hardware to do the job, built in HSMs, FPGAs, ASICs, etc. but I'm pretty sure we could build all of that into generic hardware boxes too. The problem then is, who's going to build the hardware and take all the risk?

For this reason I think we will see the large hardware vendors continue to do well, the new kids on the block will be forced into SOA software to survive, and the existing solutions may have to port hardware solutions to software only, integrating with SOA or .Net, depending on which world you live in.

Might not happen like that though, just a thought...

Wednesday 8 August 2007

What is security?

Well, I think we've roundly proven that security isn't journalism. I always thought security was a technical issue, but soon found out that that wasn't true, despite the number of moans from engineers that PCI isn't good enough, etc...

So, what is security? I've often said here, quite lazily as it turns out, that security is a business issue. But what is "business" exactly? Well, the more I read about security on other people's blogs the more I am drawn to the new theories being put out there by people like Mark Curphey, Jon Robinson and Alex Hutton. I don't think Alex will thank me for putting him in the same category as the other 2, as he is firmly set in the Risk arena, however, what they all do superbly in different ways is discuss the economics of security.

I really believe this is the "now" of security since it has gone mainstream. As Mark rightly points out in 3 superb recent posts, the money in security is located in its "long tail", not the commoditised "silver bullet".

I think we're going to see a lot more need for proper linking together of security, more movement towards frameworks and SOA, possibly driven by open source, and definitely a lot more for consultants. There's still money to be made out of security as it is, but the market is changing, rapidly now, and we all have to change with it.

Of course, making people aware of security is a big helping hand on the economics ladder, not just in terms of making sales, but allowing people to see how security can be leveraged in a multitude of different ways dependent on their needs. Smaller vendors can breathe a sigh of relief in the knowledge that MicroGoogle cannot fill every niche that they can, but it may mean smaller returns in the short term, or a different business model.

As security itself becomes more static, fewer quantum leaps are being made, so my job has moved from being able to do the technical dance to doing the business dance. I find the input of the economists invaluable, and it's like a breath of fresh air to me.

Web 2.0 is here to stay, securing it moves us into a new arena. As for me, I may have to go back to school.

MadKasting