A colleague lent me his most recent copy of IEEE’s Computer magazine.  Inside was an article entitled A Web 2.0 Model for Patient-Centered Health Informatics Applications (IEEE membership required to read).  Some possible benefits of their proposed approach were listed, including:

• Run deeper analytics across physicians groups and facilities, which can include relevant patient data…
• Provide a wide community of health professionals with feedback on the use and effectiveness of protocols…
• Share similar and alternative protocols and their analyses across many medical facilities and individual providers…

Anyone want to guess what’s completely missing from their approach?  You guessed it, any mention of security.  The commonly misunderstood (and frequently misspelled) HIPAA makes it pretty clear that the privacy and confidentiality of personal health information must be protected.  Even without HIPAA, it would just make good sense to be extra careful when sharing information and running data mining and analytics across large sets of health information.

The only mention of keeping information safe in the article is the fact that there is a division of data between the protocol, protocol modifications, and actual patient data – but it is very difficult to draw such bright, clear lines considering medical records and information.  How can you be sure the protocol modification a doctor submits won’t include information on the patient he tried it on?  Without even mentioning or considering the need for the protection of privacy, confidentiality, and data integrity within such a system, the authors of this article have done themselves and the software community a disservice.  Security requirements and threats must be considered at every phase of the life cycle, especially during the architecture phase.  As Kenneth Van Wyck and Mark Graff put it in their book Secure Coding: Principles and Practices,

As a general rule, the hardest vulnerabilities to fix are those resulting from architectural or design decisions. You may be surprised at how many of the vulnerabilities you have heard of we ascribe to errors at “pure think” time.

By developing an 8 page article published in a respected technical journal without any mention of the need for security controls in such a system, the authors of this article have once again helped me with my job security.  It is still difficult for me to foresee the day where security and risk management training programs won’t be necessary, and we won’t need an information security industry.

If you haven’t already heard about LIGATT security, you need to.  I won’t do them a favor of linking to them from this blog post, but I would like to provide some information about why I’m afraid of them.  No, it’s not because they have the world’s #1 hacker.

There is a lot of terrific information about the company, its misgivings and wrongdoings on attrition.org’s Charlatan page for Gregory Evans, the LIGATT founder and CEO.  Convicted of wire fraud in the beginning of last decade, Mr. Evans made good upon his release from prison by… marketing a caller ID spoofing service starting two days after the US House of Representatives made caller ID spoofing illegal.

Another fantastic resource is the book review issued today by Ben Rothke on Gregory Evans’ book How To Become The Worlds No. 1 Hacker.  In the review, Rothke explains:

In short, this is merely a work of cut and paste.  In the parts of the book where the author attempts to write original text, it’s ripe with various errors.  I could list many such errors, but why bother… But the real offense is the author’s blatant use of unattributed sources.  I am not talking about a paragraph here or there, it is about wholesale plagiarism, often taking the form of an entire chapter.

So what scares me about them?  No, it’s not that they have the “#1 hacker for hire”.  I’m more scared of my own employees than this joker. It’s because they are a marketing machine that is escaping the ire of the media.  In fact, they’re getting fluff pieces on Fox News and publicizing frightening commercials, taking out full page ads in hakin9 magazine, talking on radio stations, and issuing press releases and ALL CAPS tweets regularly. There’s even a movement to get LIGATT profiled on Oprah.

They proclaim on their front page “LIGATT Security is a leader in cyber security.” If anyone treats and respects this company as a “leader” it will put the community of hard working information security professionals many steps behind.  Organizations like this give the whole security community a bad rap.

For starters, let me just say that I personally have three Mac systems and three Windows systems I interact with on a regular basis.  I’m writing this blog post from a Macbook Pro.  However, there is a wide and growing misconception about the security of Mac systems vs. the security of Windows systems.  I just came across the following post in PC Magazine’s Security Watch blog, and there is a lot of good information in there; specifically the following quote which I want to share:

In the abstract, Macs are every bit as vulnerable as Windows systems, perhaps more so. But in the real world Mac malware is so rare that it actually makes news. Hundreds of Windows trojans like OpinionSpy come out every day. Mac users are generally “irresponsible” about such things, but for now they can afford to be.

My neighbor mentioned the other day that she got a Mac and loved it because (a) it was easier to use, and (b) it was more secure. Point (a) can be argued both ways, some things are easier to do on Windows and some are easier on Mac… but point (b) is something that troubles me.  The lack of publicized vulnerabilities and attacks does not mean more security.  Joe User wasn’t concerned about the advanced persistent threat before Google released information about the Aurora attacks.

The bottom line I try to keep telling people: there are more vulnerabilities written for Windows because that is where the market share is; the attackers are going after the largest market out there.  As the market dries up they will focus their efforts on OSX, and when that happens, beware.  Mac users, don’t be too comfortable.  Get an anti-malware product. Turn on your firewall. Turn on FileVault. Disable automatic logon. Don’t make yourself the easy target when the bad guys turn their attention to Macs.

As some of you know, a lot of my background is in the world of Public Key Infrastructure.  I’ve been involved in every phase of PKI, including developing certification authority and ASN.1/DER encoding/decoding software, developing automated registration authority components, creating certificate policies and certification practices statements, as well as designing and rolling out production PKIs for large organizations.

Increasingly, organizations are turning to the use of Active Directory Certificate Services, otherwise known as Microsoft Certificate Services.  The reasons are many: it’s included with the purchase of your Windows Server product, it’s easy to configure and use, and did I mention it doesn’t cost any (additional) money?  The Microsoft product is a fairly good one and provides for a lot of customization and configuration so that it can be useful in just about every environment.  We use this product for our company-issued certificates which are used to encrypt email.

Read the rest of this entry »

Chances are, if you read 10 articles or blog posts about the 2010 RSA conference, you will hear the term “cloud computing” ten times. The cloud was clearly the dominant theme of most of the presentations, product demonstrations, and discussions which took place at the Moscone Center in the first week of March 2010. However, another theme was nearly equally present in presentations and discussions: Cybercrime.

Read the rest of this entry »

As I mentioned in an earlier post, the 2010 RSA Conference Keynote addresses have been posted online and I’m linking some of my favorites from the 2010 conference. You can view an interactive webcast, view the video, or even listen/download audio-only podcasts of the keynote presentations. It is often hard to follow the keynotes in the first day, so I’m just going to mention the highlights from the rest of the week.

• Tuesday’s keynote by Philippe Courtot, Chairman & CEO of Qualys was a pretty good one, and should have been given prior to some of the other keynotes since it provided a bit of a primer on cloud computing. He discusses some basics around cloud computing and what it will likely become in the future.
• It is always important to hear what the Government has to say, so Janet Napolitano’s brief remarks are worth watching.
• Tired of pure security talk? Catch a good presentation and discussion on emerging brain-computer interfaces by Dr. John Donoghue.
• While I think Art Coviello’s keynotes have been getting better over the years, I always preferred the first day keynotes by Jim Bidzos. We were fortunate to get a keynote presentation from him this year about security and trust on the Internet.
• And finally, the always entertaining Hugh Thompson provides a look at the steps forward and back in security over the last year and interviews a few individuals including Craig Newmark from craigslist and Steve Wozniak.

Keep an eye on the 2010 RSA Conference website, especially if you were an attendee/delegate. Over the coming weeks and months they often make some of the most highly valued discussions and presentations available for viewing. It is a good way to stay connected to the themes of the year even if you couldn’t be at the conference.

I know this post is a bit delayed, but this is a good opportunity to take advantage of the fact that the 2010 RSA Conference Keynote addresses have been posted online.  You can view an interactive webcast, view the video, or even listen/download audio-only podcasts of the keynote presentations.  Some of my favorites from this past RSA conference included:

• Art Coviello’s keynote continued on his theme from last year for the increasing need of companies and competitors to work together to secure the cloud,  He made an initial announcement of the collaboration between EMC (including RSA and newly acquired Archer), Intel, and VMWare to provide mechanisms to trust (and therefore help meet compliance requirements) the physical and virtual hardware elements of a cloud-based computing infrastructure. He also brought up an extremely good point: the transition to cloud-based computing is inevitable, and rather than wringing our hands about how difficult it will be to secure, we should see this transition as an opportunity to change the way security is performed and delivered.  It was a traditional type of message for Mr. Coviello, but one that resonated with me better than his keynotes in previous years.
• Scott Charney’s keynote was focused on what Microsoft is doing to help us achieve end-to-end trust.  It was interesting to hear that Scott has been at Microsoft for eight years which is about the exact same amount of time since Bill Gates’ trustworthy computing initiative was started. While Microsoft has often been hammered for making mistakes with security, it is clear that the last eight years have seen terrific improvement.  He similarly delivered a message including some new efforts Microsoft is involved in, and indicated that collaboration was the key to success in the security arena.  A great quote from that presentation:

And every now and then I juxtapose my four and a half year old with my 80-year old mother, in part because they behave so much alike it just astounds me. But let me tell you one way they also behave alike. My four and a half year old has learned to navigate with a mouse, and it’s just great to watch. He navigates to the mouse, up pops this security dialogue. He can’t read. He doesn’t understand it. He clicks okay.Then I go to my mom. She’s got a PhD in education. She gets the dialogue box. She can read, she doesn’t understand it, and she clicks okay. Okay? We can’t do it that way anymore.

• The Cryptographer’s Panel included a new member this year, Brian Snow from the NSA.  If you watch nothing else, you should watch this for the broad scope of education, information, and entertainment it provides. Having the perspective of the NSA added is an interesting one, and it is clear from the ensuing discussion that neither the academic community (represented best by Ron Rivest and Adi Shamir) still doesn’t trust the NSA, and the NSA believes it still has a leg up on everyone when it comes to cryptographic advances.
• Some brief remarks from Howard Schmidt, White House CyberSecurity Coordinator. He gave a powerful analogy between how cybersecurity is evolving compared to how firefighting evolved.  He also provided some updates about what the current administration is doing in the area of cybersecurity, building on the presentation by Melissa Hathaway last year.

Overall the 2010 keynote presentations were among the better first day of keynotes in all the 10 RSA conferences I’ve attended.  The above presentations were my favorites, and I hope you can spend some time to watch them!

As you may already know, I’m attending the 2010 RSA Conference in San Francisco, CA.  I’ve been spending so much time talking with vendors, going to keynote talks and going to track sessions I haven’t had much time to finish writing and editing any full blog posts yet.  Rather than rush to publish, I want to take my time and write up my thoughts and experiences fully.  As a result, there will probably be a number of delayed posts in the coming days and weeks about my experiences here.  For now, I’ll leave you with these teasers from my first day at RSA:

• Art Coviello (RSA) believes that the emergence of cloud computing will be our opportunity as an industry to turn the way security is delivered inside out.
• Paul Maritz (VMWare) thinks the formula for embracing cloud computing is simple: improve efficiency, improve agility, improve security.
• Mark Benioff (salesforce.com) stated Lotus Notes was conceived before Mark Zuckerberg was; enterprise software needs to change, and become more like Facebook.
• As evidenced by having Brian Snow, NSA on the Cryptographers Panel: the commercial and academic communities still have a lot of distrust and suspicion of the NSA.

Other items I’ll be writing about: a lunch I had with F-Secure’s Mikko Hypponen where he discussed cyber crime, and a session I attended called “Winnovation- Security Zen through Disruptive Innovation and Cloud Computing”.  Stay tuned!

Today, in advance of the 2010 RSA Conference, I had the benefit of attending the 10th CSO Council Bay Area Round Table: The Last Mile: The End of Paper. It has been an interesting exercise with a mock trial (moderated by two Judges) involving three wills signed with three different technologies: ink signature, closed system electronic signature, and digital signature.

You would think this would be an easily decided scenario; the digital signature is a superior and more trustworthy technology, right?  Well, not when you change the rules a bit. Basically they made the strength of process the inverse of the strength of the technology.  Here are the key points from today’s trial, and I’d like your suggestions on which one you’d pick.

• Will 1: Ink Signature: happened a long time ago, seems to be in order but there are no surviving attesters to the signature. Gives the entire estate to his wife, and if she predeceases him, his son.  As of today, the wife did predecease him, and his son has become estranged, will #2 being part of the reason.
• Will 2: Electronic Signature: signature is just a hash of the user name and the document being signed.  Gives 1/2 the estate to Stanford University, and the other 1/2 to his son.  The signature was not attested to by any other individuals.  There are no security controls over the log files and no way to prevent modification. However, everything seems to be in order with the signature.
• Will 3: Digital Signature: signature uses the internal PKI of a legal firm which stores private keys on USB memory sticks (not cryptographic devices). A paralegal of the firm who helped create the PKI process is the sole beneficiary.  The signature was counter-signed by two other individuals.  The paralegal (“Bubbles”) administers the PKI system and theoretically could have recreated signatures or digital IDs.

So, if you had to vote for one of these as a juror, which one would you choose?  Personally? I think all 3 are terrible and I fear the entire estate may need to go to probate.  Let us know what you would choose as a juror in the comments.

Today Slashdot had a story about how a news story about an Australian transportation plan was broken early by a newspaper. The transport minister said the access of this information was akin to the newspaper trying to “pick the lock off a secure office and take highly confidential documents”.  What was the brilliant security plan that was supposed to be protecting this information?  The information was all stored on an unpublished URL with no security or authentication in place.

We in the security industry call this “security by obscurity“.  And it is not security at all. Read the rest of this entry »