The first night of ShmooCon is a wrap, at least for the presentations. First off, my shout-outs to all those that actually made it this year. The DC weather hasn’t been too kind to any of us, especially those traveling in specifically for this Con. But to those who made it, I salute you (even more so to those who had to walk a couple miles to get to their hotel because they didn’t make or take reservations at the Marriot).

(more…)

SearchCompliance.com has posted an article detailing important regulatory compliance trends that will affect IT in 2010. The trends that were listed include:

• Automation of compliance processes
• More regulation en route
• FISMA compliance reform
• More enforcement for noncompliance
• Federal data breach and privacy laws emerge
• Cloud computing complicates compliance
• SOX compliance for small companies
• Migration to risk management

I was quoted in a couple parts of the article with my visions of the future related to FISMA and risk management. It’s worth a read and a comment if you think they missed anything, or if my predictions are way off!

If you haven’t heard yet, Google has opened up their own public DNS servers. Many people I know would love to use them rather than their ISP’s DNS servers for various reasons – mostly due to lack of availability.

I’ve been using OpenDNS’s resolvers for the last year or so now, so this service isn’t exactly new, neither is the free option as OpenDNS has one. So what does Google bring to the table from a security perspective?

Google has a great document that they’ve created all about the security of their DNS service. Basically, they’re concerned about the availability (hence the overprovisioning), and the replay, birthday, and Kaminsky attacks. The only thing they might offer above and beyond your ISP is random ports and name server resolution. And in exchange, not only does Google get your searches, they get *every* web/e-mail/bittorrent/IRC server you go to. *put on privacy nut hat* Maybe I’m strange, but I’d prefer that Google – with their core competency as data and trends gathering – not have that much information about me.

Google has obviously considered the security implications of running public DNS servers, but is the “cost” worth it to you?

Companies live and die by their policies which they are enamored with. While having a good security policy framework is important for organizations of all sizes, it’s easy to get comfortable with your policies – until they need to be used that is. A lot of smaller companies that are growing rapidly have some established security rules that aren’t as complete as they should be.

Just like users can pick bad compliant passwords, you’re not as compliant as you think you are if you haven’t considered the following 3 things.

1. You Don’t Review Logs – Most companies keep logs of some kind but many of them are never reviewed before they are overwritten by default processes. Log review is important on a regular basis, before logs are overwritten, so that administrators can determine patterns and abnormal activity that might not be caught by a firewall, intrusion detection system, or other automated controls. Apart from security, regular log review can help identify software glitches before they cause problems for your operations.
2. You Don’t Have A Contingency Plan – Security plans by smaller companies, as well intentioned as they may be, could very well be lacking a well thought out contingency plan. Having a tested contingency plan is important so that you know your backups will work, your applications will be accessible, and you can get up and running in a reasonable time.
3. You Don’t Test Backups – I should add, “and you don’t backup quite everything you should.” Related to #2 above, there are many companies that only have backups of a single server, rely on default settings, and don’t keep an extra physical copy somewhere off site. If you’re one of them and your office burns down, those backups aren’t going to do you much good.

There are some great things about standards and policies but it’s always easier to write them down than to put them in practice. That’s where many companies fail until something happens. Knowing that legal and regulatory compliance doesn’t necessarily equal security will save you from embarrassing and costly contingencies down the road.

picture: y3rdua

With Windows holding 89.6% of the global market share, it is a very large target. This is one of the reasons Windows is targeted so much by malicious attacks. Not very hard when you’re such a big target. So, what if you could change that and make your Windows machine/server appear as something else, even to the most notable of sniffing tools (Nmap, P0f, Ettercap, etc.)? Well, you can.

(more…)

As many have noticed, Apple has released their new lineup of laptops, software, OSes, and iPhones. As I watched live coverage of the keynotes on Monday (thanks Gizmodo) – a few things caught my attention when they were speaking about the new iPhone 3G S.
The first thing that caught my eye was the mention of “hardware encryption.” Now, simply mentioning that a device supports hardware encryption can mean a lot of things, and Apple isn’t very clear about what they mean by this. Trying to do some further research didn’t help much either as I only ended up being further confused with all the different mentions of this “hardware encryption.” The official word from Apple is…

iPhone 3G S offers highly secure hardware encryption that enables instantaneous remote wipe. You can even encrypt your iTunes backups.

…according to that, it would sound like the remote wipe is dependent on the hardware encryption, which makes me believe that instead of actually wiping the data (as in a format), it would simply delete the private key – therefore making the data inaccessible. (Since iTunes stores a backup of all your iPhone data at every sync, securing this also seems important.)  This also assumes it’s using a strong form of encryption. I’ve also read in other posts…

…hardware encryption for Exchange users…

…as the listed feature. Does this mean it’s only available through Exchange, and at what level is it being used? Is it only securing your email? We know the iTunes songs and videos are already being encrypted on the device. Is this the same form of encryption they’re talking about?  We’ve asked an insider at Apple to help us out with some of these questions and are still awaiting a response.

All of this brings up major questions about the REAL security behind all these marketing terms. How much do companies actually care about security, and how much do they actually do to help protect their users? Is everything just a marketing ploy these days?

Users were upset about the lack of security in our last model of product X. Let’s add minor revisions and throw some good marketing verbiage in the features list and hope that fixes everything.

Is this how security is being treated? Apple isn’t the only company being vague about these types of issues; it rolls all across the board. They just happen to be the ones asking for the most attention at his current point in time.  Stay tuned as I hope to find and relay some answers to many of these questions as more details are revealed.

You go to a website. You decide to sign up for a new account there. You’re taken to a screen where you meticulously enter your details, making sure you dont leave out any required fields (or else you’ll have to retype your password… twice). And right before you are allowed to hit “Submit” you see the final challenge of registerering for something online– a box with some strange symbols all jumbled up (possibly incomprehensible upon first glance) with the instructions “type what’s in the box.”

Its not a new scenario– in fact, it’s probably something most people have had to deal with online since Captcha really got kicked off in the late 90s. In general, a Captcha is a challenge-response test that is designed to make sure the user taking the test is actually a human. This is based on the assumption that humans are better at character recognition than machines. Indeed, the algorithms for optical character recognition (OCR) wern’t very good at figuring out Captchas when they were first introduced. Therefore, Captchas originally provided a good defense against spam robots or automated programs that wished to abuse features of online services that were designed or intended to be used only by real people.

But how useful is Captcha nowadays?

(more…)

Watch where you download software from. Windows 7 RC is available for free from Microsoft, but some people are getting their copies from bittorrent, or other download sites. Several pirated copies have a trojan that is creating a botnet. If you’re wanting to try Windows 7, get it through a legitimate source so that you know what you’re downloading.

I know Microsoft wants to keep track of everyone with a copy of the software, so they’re asking you to register with your Live ID. I personally think that they should make public the MD5/SHA1 hash of the download to help people avoid downloading a trojan.

On Wednesday, while the virtualization and cloud computing topics were continuing to see a lot of coverage, I began to focus my attendance in some different areas. The first Wednesday keynote included a brief discussion of the 60-day cybersecurity review by Melissa Hathaway, Acting Senior Director for Cyberspace for the Obama administration. While she did not tip her hand regarding what would be in the final report, she spent a lot of time discussing the importance of the report and the work which will come out of it. You can read her speech by following the word document link on this article in The Atlantic.

Also on Wednesday was a panel discussion on the increasing prominence of legal and audit concerns in security featuring two federal judges and two lawyers. The presence of two federal judges at the RSA conference should be viewed as good news, as it clearly demonstrates that the legal system is taking note of and participating in a dialog with the security industry as a whole. Also there was an individual talk in the Governance-Legal track in the same thread, “eDiscovery Cooperation Workshop for Attorneys and Technologists”. Meaningful information security-related laws and regulations can only be developed and enforced by a team which includes the legal system and the security practitioners.

Other sessions that were heavily attended and well regarded were individual sessions for which there is not yet a link for video or audio. These include “Is Google Evil?” by Ira Winkler, and “The Danger that Lurks in the Internet’s Core Protocols” by a panel including Jeff Moss, Dan Kaminsky and Anton Kapela.

I can easily sum up what nearly every talk, every keynote, and every booth vendor is discussing here at RSA.  I just need four words: “Cloud computing and virtualization”. Virtualization is important because of the desire to make things cheaper and easier to maintain, and presents a powerful argument for power savings especially the week of earth day. The security concerns in virtualization are generally no different than they are with any current system, except for attack vectors between the host and guest operating systems. Virtualizing security services may be helpful in long term cost savings, but introduces additional risks which must be considered and mitigated or accepted.

During the Cryptographer’s Panel, counterarguments about cloud computing were presented. Whit Diffie said he was excited, while Ron Rivest expressed concern. Bruce Schneier said the current move toward cloud computing is like the computing industry coming full circle. Back in the 70s and 80s, we had underpowered terminals accessing shared computing power, storage, and services on a mainframe. Now, replace mainframe with “cloud” and underpowered terminal with “netbook” or “mobile phone” and you’ll see where we are.

Personally, I don’t think we did a great job of information security in the 70s and 80s, so coming full circle is not a good thing.  Cloud computing must be an area of continued vigilance, concern, and research for the coming years.

What are your thoughts? Tell us in the comments!