Podcast updates

It has been a while since I reviewed my list of security podcasts and a few new ones have made it into rotation since I last visited the topic. My regular listens and a link to the Getmon Security Podcast list are in my Podcast.com widget (over there on the right, scroll down a bit and you'll see it). Click away at any of the titles for episode details, links to Podcast.com pages, or to play episodes.

My previous recommendations still stand:

• Pauldotcom Security Weekly
  • Pauldotcom has grown into an empire, with video and webcasts and an entire community involved.
• The Network Security Podcast
  • Rich Mogull is now Martin McKeay's cohost and his addition has expanded the perspective of this great show.
• CyberSpeak
  • Brett and Ovie continue to deliver informative and entertaining forensics and cyber-crime content on a quasi-weekly basis (They are busy guys).
• Security Now*
  • Steve Gibson and Leo LaPorte talk security, and stuff.
  • *figure out the asterisk for yourself.

And newer in the rotation:

• Risky Business
  • This one is a must-listen, an outstanding weekly podcast featuring news and interviews hosted by Patrick Gray (Patrick Gray is great, and he also has a weekly networking and systems podcast, "A Series of Tubes").
• The Silver Bullet Podcast:
  • In-depth conversations with leading security gurus, hosted by Gary McGraw, sponsored by IEEE Security & Privacy Magazine.
• Radio Free Security
  • A good podcast aimed at the small business IT administrator produced by WatchGuard LiveSecurity Service reporters.
  • NOTE- this shares a feed with their "Firebox Special", a podcast dedicated to the WatchGuard Firebox. Unless you are a customer, you may want to skip those.

And a few seem to have faded away, but I haven't completely given up on them:

• The Security Roundtable
• The Rear Guard
• Sploitcast*
  • *Not quite dead.

Happy Listening!

Jack

Matrícula de coche con inyección SQL -or- Language is no barrier.

My Spanish is pretty rusty, but you don't need to understand "Matrícula de coche con inyección SQL"- in this post you only need to look at the photo of the car.

(The Google translated page is here).

Jack

Defense in Depth?

Thomas Ptacek recently opined on Twitter:

"Defense in depth is one of the great bills of goods the security industry has sold IT."

As you can imagine, this led to a lively discussion among the Security Twits- a respected member of the security community (and really smart guy) attacks a fundamental tenet of security.  At first I thought he had simply been working too long and hard and had lost it, but then I saw the key word in his pronouncement:

"sold"

Ah, this angle works for me.  As an under-funded small-business IT guy (a redundant statement, I know) I have always relied on defense in depth, and built it into any system I could.  Don't get me wrong, I paid for some of the depth, but I did not buy defense in depth.  The layers have to make sense and work together. 

Another angle which works is more theoretical. If we had fundamentally secure systems to begin with we wouldn't need (or have) an entire enormous industry dedicated to selling bandages for mortally wounded systems.

  

 

 

Wouldn't that be nice?  We could have yet another discussion about that, but that would be beating a horse which is not only dead but already processed into gelatin, dog food and glue.

 

 

 

Jack

Architecture astronauts take over

Not much to say about this article, except it is a refreshing alternative take on Microsoft's "new" Mesh Thingie©

Jack

Your Moment of Zen

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it.  You may argue about the definitions of "vulnerable" and "compromised", but that misses the point.  Our systems are vulnerable and will be compromised.  Now what do we do? 

• Focus on the things you can actually accomplish.
• Accept that we really do need a "Plan B", (and maybe C, D...) 
  • Work on those plans.
• Prioritize work based on real exposure.
• Think about risk
  • There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others).  It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability".  Mike Rothman's "Pragmatic CSO" includes elements of it.  My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience.  It has always been true, but now it is OK to accept it- and move on.

 

Jack

The Linkedin "John Smith" scam

I had my doubts, but I tend to be fairly open with Linkedin requests and keep a mental track of those I really know and those I don't- so when a highly-linked Mr. John Smith (including links to people I *really* know) sent a connection request, I added "him". A bunch of others did, too. No big deal for most folks who think about what info they share (and how much of it is available elsewhere). Turns out Mr. John Smith was an "awareness campaign" or "publicity stunt" depending on your point of view. I received this email today:

Dear LinkedIn user: Meet Mr. John Smith!

You have a profile on LinkedIn.com and you have chosen to connect with "John Smith". This itself is not a problem, if it wasn't for the fact, that John Smith doesn't really exist (in real life). The profile was invented as part of a security experiment were we try to determine and illustrate potential risks using social networks, such as LinkedIn. The presentation was just released on the Fraud Europe conference in Bruxelles today.

We decided not to release any detailed information about who and how John Smith got connected with in his network. However, we felt obligated to inform all Linkin accounts hooked up with John Smith about this piece of research and the release of the final edition of "Social Networking Risk - Who Do You Want to be Today?".

With the paper being released we will delete the "John Smith" profile!

If you've not already guessed it, you're receiving this e-mail because you are linked with john Smith. We hope this will be a leason learned and nothing else ...

All data harvested during the past year, will be deleted. We will also inform LinkedIn and asking them to remove the profile.

You can download the presentation given at Fraud Europe conference at the following URL:
http://www.csis.dk/dk/media/LinkedIn-Threats.pdf

The technical paper, used as background for this presentation and released in January 2008, can be downloaded here:
http://www.csis.dk/dk/media/LinkedIn-V2.pdf

Best regards,

Dennis Rand, Security- and Malware researcher
CSIS Security Group
http://www.csis.dk

Oh, well. But my next question is this- what about that "Information Security" group on Linkedin? A few friends and I questioned the legitimacy of that (after joining) at a recent event.

Bottom line, if it is on the Internet it is out there for all to see. Remember that, act accordingly, and you'll be OK.

Jack

The "Theme" of the Expo at RSA

I am working on a few posts on RSA, things like "Your Moment of Zen" and "Confessions of a Booth Babe", but first...

One of the oft asked questions at RSA was "What's the theme?" There was an official Turing theme, but it didn't really take. I spent quite a bit of time in the Expo with all of the vendors, so I proposed:

"Simple solutions to complex problems"

Rich Mogull suggested this refinement:

"Meaningless, content-free answers to important questions"

From the Expo floor there was also a strong undercurrent of:

"Buy our product and you will be (fill in the blank) compliant
(and thus secure)."

No surprises, really, but it is depressing how few people selling stuff (any stuff, not just security stuff) are aware of their own market. Security is hard and the odds are against "winning", so the hyperbole (100% effective against SPAM!) and oversimplification just annoy and offend the educated customer.

Don't get me wrong, overall I had a great time at RSA, but the stupid sales weasels just amaze and appall me. Keep in mind that I have spent the past thirty years in and supporting the car business, I know stupid sales weasels when I see them.

Jack

Hypocrisy, Patriotism, Bullshit.

No security angle here, just an incendiary rant.  (Unless we're talking economic security, but we won't go there).  You've been warned.

A few weeks ago I spent the weekend in Gettysburg, Pennsylvania.  Gettysburg is a great town, rich in history of course; but also a nice college town with a well-maintained downtown and a real sense of community.

Sure, there are the obligatory tacky tourist traps- including sacrilegiously named stores, restaurants, and hotels (winner in this category, "Gettysburg Battlefield Resort"), but not all of the tourism is bad.  The Park Service is trying to restore many areas to period-appropriate condition and has just opened a new visitor center.

The Rant:

On the edge of town, out by the highway, is Battlefield Harley-Davidson (not near the battlefields, by the way).  Battlefield Harley-Davidson is housed in a large steel building, near failed and failing auto dealers and the requisite highway off-ramp hotels and shopping centers.  Like most H-D dealers, it is a large and impressive facility, nicely landscaped and well-maintained.  When you enter the building, you are greeted by dozens of shiny new Harleys, but beyond the front line is the magic- a bewildering array of clothing, accessories (both motorcycle and "lifestyle" accessories) and trinkets.  This is the stuff anyone can afford, even if you can't swing a new 'Glide.  Unfortunately, much of it poor quality and almost all of it made in China.  For a company which touts quality and wraps itself in the American flag as much as Harley-Davidson does, you might expect some true patriotism and dedication to quality American-made goods- but you won't find it.  Even the more expensive goods are almost exclusively Chinese, so it isn't just the cheap stuff they outsource.

This isn't really about Battlefield H-D (except the BS name and proximity to sites of historic patriotism), it is about Harley-Davidson's corporate greed.  Want to sell inexpensive stuff made in China?  OK, there are some issues with that, but it is a legitimate business model.  Want to milk false patriotism for a buck?  (Note, I believe John Deere gets a dishonorable mention in this arena, too- for similar reasons).  That's fine for spineless cowards and hypocrites.  I'll pass on that ride, thank you.

 

Jack

RSA Security Bloggers Meet-up

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.

Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.

Jack

New NAISG Chapter, Connecticut River Valley

NAISG recently announced our sixth chapter:

"We are pleased to announce the formation of the Connecticut River Valley chapter of NAISG. This chapter will serve the Springfield, MA and the Enfield/Hartford, CT areas. More details will be announced as they become available."

As always, information will be at the NAISG website.

Jack