Tuesday, January 27, 2009

Homework assignment

You probably already do this, but...

Next time you are somewhere with any (preferably non-IT) security or safety concerns, look for the stupidity.  If you don't know where to start, the poor folks in healthcare are a great target- that may be the greatest concentration of really smart stupid people in our society.  (Yes, even worse than government).  And, there may be even more minions of the demon checkboxes in healthcare than in IT compliance. 

Wherever you try this, look for the measures taken in the name of security and/or safety.  Now, look for the blatantly obvious oversights and outright dangers- they won't be hard to spot.  Now, think about what kind of convoluted thought process could lead to things like wheelchair safety rails on all the ramps- but no child-protection bars on the same railings, made even more dangerous to kids by the footholds provided by the wheelchair rails.  You will probably start to see a misunderstanding of fundamental concepts such as risk and threat, and then you will spot the corresponding misguided attempts at addressing them.

While it may be amusing to ridicule others (OK, it IS downright fun), the point of the exercise is the second phase- where you turn that skeptical eye back on your own world and try to spot the obvious and glaring oversights in your own environment.  Not so much fun now, is it?  Instead of "fun", you might have to settle for "enlightening" or "effective" in your own world.



Saturday, January 24, 2009

Hey, look over there...

Johnny Long has been telling his amazing story via Twitter lately, it is good stuff. I have promoted Hackers for Charity before, and now I'm asking you to keep an eye on the Hackers for Charity site, Johnny has some big things planned. If you can spare a couple of bucks, have a hook-up for gear, or maybe can clear a bit (or a lot) of time on your schedule to offer your services- head on over and participate.

You know how it works- you get the satisfaction of doing something good, and if you really dive in you may get some resume' building experience and endorsement.


Tuesday, January 20, 2009

Podcaster's Meetup and Fire Talks at Shmoocon

Details are up about this year's Podcaster's Meetup at Shmoocon, it will be bigger and better than ever.  Several of your favorite security podcasts will be participating- and this year there will be even more to do after the regularly scheduled events: Fire Talks.  What are Fire Talks, you ask?

"Have a talk that didn’t get accepted? Want the chance to share a project that you are working on? Think of FireTalks as a verbal blog post.

The human experience is built on the ability to tell and learn from stories. At SchmooCon 2009, “FireTalks” is a supportive environment in which to either share insights or learn from others. Whether polishing a presentation (story) for conferences, meetings or training, FireTalks are the way to share, learn and improve.

The inaugural FireTalks take place Friday night — following the Podcasters Meetup. Talks are limited to 10-15 minutes with four (4) scheduled talks and four (4) open slots. Open slots will be filled on a first come, first serve basis.
Saturday night will be more relaxed. Come join us and present, listen and learn."

I have written before about "the hall", where some of the cool stuff happens at conferences, Fire Talks are a great way of encouraging those less formal conversations.  (SecTwits Road Trips are another way).  Join us if you can.



Sunday, January 18, 2009

A new game for security cons-

Inspired by my recent interactions with the "business community" and data protection, I present:

Towel Toss, for when you can't take it any more and are ready to throw in the towel. 

I was asked if it would be scored by distance or accuracy, but on reflection I have decided it would have to be judged on style- folks truly qualified to play probably couldn't get much distance or accuracy in that state.

I'm not entirely kidding, either.  We could share our pain, console each other, and come up with solutions or at least help with strategies for coping with the stupidity.  Think about it, bartenders at cons are too busy to help all of us, we need to help each other sometimes.



Saturday, January 17, 2009

Well, isn't that depressing...

Yesterday I attended a public hearing [PDF] on amendments to the new Massachusetts data protection law, 201 CMR 17.00. The original amendment delayed implementation of the law by a few months and two sections, certification of third party vendors and encryption of portable devices , were delayed by one year. This hearing was designed to offer interested parties an opportunity to provide input on the amendment and possible further delays or amendments.

The good news was that people were interested in this issue, about a hundred people packed into a small meeting room (which would have been comfortable for 50 at most) and I heard that dozens more came but could not even get near the door. The bad news is that almost everyone was there from a business interest and there was little representation for the consumer (you know, you and me, the people screwed by TJX and their ilk's carelessness with our information). I was only there to observe, but when I signed in and saw who was speaking, I put my name down and waited my turn to inflict my opinions on David A. Murray, General Counsel for the Massachusetts Office of Consumer Affairs and the assembled masses. I heard speakers from several business groups representing a wide spectrum of interests who all said about the same thing, it is too much, it will be too hard, and it will be too expensive. I agree on some points, but strongly disagree on others.

There were three primary objections raised:

  • Contracts and Certification of third-party vendors' compliance with 201CMR17.00
  • Encryption
    • Data transiting public or wireless networks must be encrypted.
    • Personal Information on laptops and portable devices must be encrypted.
  • Information assets, both electronic and physical, must be inventoried to identify Personal Information to be protected.
    • Alternately, all data can be treated as confidential and protected.

The contract and certification concerns are largely legitimate; as currently written all third-parties with access to Personal Information must be contractually required to protect the data by May 1, 2009 and must have written certification that third parties have a written, comprehensive information security program in compliance with 201CMR17.00 by January 1, 2010. Sounds good to me, but it isn't going to happen- you cannot expect everyone to re-write contracts that fast, nor do most smaller businesses have the clout to demand such from larger vendors. I think we need to work towards this goal, but over a longer period of time.

Encryption, this is where I started to get frustrated- many of the business advocates effectively stated that encryption is an immature field, rapidly evolving, and with no interoperability between vendors and systems. It would be charitable to call this misinformation. Encryption can be difficult to manage without the right tools, and the right tools can be expensive- and many smaller businesses can't justify the expense of large PKI or other encryption management infrastructures. I believe a delayed requirement may be reasonable due to cost and complexity, but to say that encryption is immature is, well, immature. And interoperability concerns- that's nonsense, at least as far as the transmission of data- IPSec, SSL, and WPA2 can address that reliably. No, you can't decrypt a TreuCrypt volume with PGP, but there are enough mature players in data encryption to find an appropriate answer for the needs of this law. Oh, and those really small businesses with occasional needs? Both Microsoft Office and OpenOffice offer basic document encryption, between Office's near-ubiquity and OpenOffice's free and cross-platform availability, many small businesses may not need to spend any money on "encryption infrastructure".

The really depressing part was the strong opposition to data inventories, I heard over and over that they would be too hard and too expensive. Let's flip that over, we were effectively told (repeatedly) that businesses large and small, in fields including higher education, law, mutual funds, and insurance- have no idea what information they have or where it is- or this wouldn't be such a big deal, right? This is fundamental security (not just information security), you have to know what you have and where it is if you are going to protect it. If they (we) don't get this done, and done correctly, the rest of the law is pointless.

There will be plenty more on this topic in upcoming posts. I am not a "compliance guy", but this is not only relevant to information security, it is turning into a drama.


Saturday, January 10, 2009

The roads may never be the same.

Security Twits Road Trip 2, aka the ShmooBus, is on.  I have apparently recovered from the first SecTwits Road Trip  (lots of pics here) and I've rented another 30' RV.  Departing the Boston area the morning of Thursday, February 5 and arriving at the Marriott Wardman Park for Shmoocon that evening- return trip beginning at the conference end Sunday afternoon.

busTickets for Shmoocon are completely sold out, but if you have (or can find) a ticket and want to join us let me know, there may still be a seat or two open.


Why? Because it is a road trip, and it is Shmoocon.


And, on the bus or not, stay tuned for info about the expanded after-hours events at Shmoocon, including another Podcaster's meetup and much more.



Thursday, January 8, 2009

Wall-to-wall 201 CMR 17.00

For those who can't get enough of the sexy new Massachusetts Data Protection law, please join me as I live it for the next several weeks.

I will be repeating my 201CMR17.00 presentation and discussion given at the NAISG Boston meeting in November, this time for the Connecticut River Valley chapter of NAISG, on Monday January 12 at 6:30pm in Enfield, CT.

This month's NAISG Boston meeting will feature a presentation by Brad MacDougall, Associate Vice President of Government Affairs for the Associated Industries of Massachusetts (AIM).  Brad will focus on the difficulties that will be encountered by many businesses and the obstacles with the current regulations under 201 CMR 17.00.  The meeting will be on Thursday, January 15 at Microsoft's offices in Waltham, MA at 6:30 PM.

The following day, Friday, January 16, there will be a public hearing on 201CMR17.00 at 2:00pm in Boston.  The purpose of the meeting will be to afford interested parties the opportunity to provide input on the amendments to 201 CMR 17.00.  There is now a copy of the amended 201CMR17.00, redlined to highlight the changes, available at the the state's Identity Theft page.

Finally, (for now) the Boston Network Users Group (BNUG) will also host a presentation on 201CMR17.00 at their next meeting, on Tuesday, January 6, also at the Microsoft offices in Waltham, MA.  Speaking will be David A. Murray, General Counsel, and Gerry Young, MIS Director, from the Massachusetts Office of Consumer Affairs and Business Regulation.

Not in Massachusetts?  Don't think this matters to you?  Guess again- you do not need to put your ear on the railroad track to hear this legislative freight train headed to a jurisdiction near you.



Wednesday, January 7, 2009

Open Letter from Geeks to IT Recruiters and Hiring Managers

Ax0n nailed it in his blog post about geeks in the workplace, take a few minutes and read (and share) this:

HiR Information Report: Open Letter from Geeks to IT Recruiters and Hiring Managers



Monday, January 5, 2009

Security Bloggers Network

OK, I'm a bit late to this party.  I finally officially joined the Security Bloggers Network.  It looks like we are up to 207 blogs on the list, more than you will ever be able to read- but a great place to browse and find interesting content.  Not all members are especially prolific bloggers, not all blogs are strictly Information Security focused, but there is a lot of good stuff over there.  SBN has recently moved from Feedburner groups (due to changes apparently brought on by Google's acquisition of Feedburner) to Lijit- the good news there is that Lijit searches of the network are a great way to find posts on specific security topics.



Sunday, January 4, 2009

A fresh perspective on Network Security

A friend of mine, Tim Cronin, has starting blogging- sharing his ideas and experiences as he comes to grips with the world of network security.  He even has a mission statement for his blog:

"The mission of this blog is to provide the technology community with lucid, easy-to-understand breakdowns of information security topics from the viewpoint of a security newcomer.
In my short time as an engineer for an internet security vendor, I have noticed that a lot of systems administrators are thrust into positions in which they did not prepare themselves or are confronted with issues that they did not anticipate. Technology is a broad industry, after all. I am creating this blog as a guide to information security concerns targeted at the "do-it-all" systems administrator that may not have had a chance to specialize in security. I hope that even the most seasoned security professional will gain a new outlook on these topics as well.
Please stay posted as this blog becomes full of useful content!

Tim offers a fresh perspective on things, head over to his Security Workshop and see what you think.



Saturday, January 3, 2009

SOURCE Boston Volunteer opportunities

Interested in going to the SOURCE Boston conference, but a little light on funds?  If you have time to volunteer, you may be able to join the team working on SOURCE and trade labor for conference admission (and a peek behind the scenes at a conference).

See this SOURCE blog post for details.