Your Moment of Zen

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it.  You may argue about the definitions of "vulnerable" and "compromised", but that misses the point.  Our systems are vulnerable and will be compromised.  Now what do we do? 

• Focus on the things you can actually accomplish.
• Accept that we really do need a "Plan B", (and maybe C, D...) 
  • Work on those plans.
• Prioritize work based on real exposure.
• Think about risk
  • There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others).  It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability".  Mike Rothman's "Pragmatic CSO" includes elements of it.  My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience.  It has always been true, but now it is OK to accept it- and move on.

 

Jack

SOURCE: Boston 2008 (updated)

SOUCE: Boston 2008 has just ended and it was great. Source is a little hard to categorize; it was part executive-level symposium, part hacker con, with a few other things tossed in for good measure.

I was only able to attend on Wednesday, but I kept up on things from my desk on Thursday and Friday by following a very active Twitter stream from the event.

Wednesday kicked off with introductions followed by a short talk by Tito Jackson*, the IT Director for the Mass Office of Business Development. Jackson's talk was very upbeat about the state of technology in Massachusetts (as you would expect), but some of the numbers really are impressive given the current economic situation. Jackson was followed by a keynote from Richard Clarke. Clarke is a very good speaker and started (after the obligatory Elliot Spitzer joke) with a recap of the history and current state of cybersecurity in the United States and recent events which have refocused attention on cybersecurity. Unfortunately Clarke started wandering away from his real areas of expertise and eventually jumped the shark and ventured into bogus generalizations and speculation. His strong statements on privacy violations could have brought him back from the brink, but by the time he suggested ideas like laws regulating secure code and requiring ISPs to clean up the Internet for us he had lost a large part of the audience and it was just residual respect and decorum which kept him from being heckled.

After the keynote the three tracks split up and the choices became difficult (always a good sign at a con). The tracks were loosely defined as "Business and Security, "Application Security", "Security and Technology" and not being a coder I wasn't tempted by much in the Application track- but I later heard there were some excellent ones, such as Andrew Jaquith's Anti_virus preso. I chose to hear Mike Rothman's "How Compliance Can Get You Killed"- but really wanted to see Roger Dingledine's "Making TOR Play Nice with the Internet" talk, too. I'll have to wait for the videos to see Roger's, but Mike was as entertaining and informative as always.

The next tough choice for me was between Michael Rash's "Advanced Linux Firewalls" and "Disruptive Innovation and the Future of Security" by Rich Mogull and Christofer Hoff. I couldn't pass up the dynamic duo and they didn't disappoint. It was their first pass at what is an evolving presentation- it was good and will improve with a little polish. They tried to cover more Disruptive Technology topics than would fit in the time allotted and that limited the depth of the presentation, but even in "rough cut" form it was a refreshing change from most of the mundane "Business of Security' kind of talks.

The tough choice for the end of the day was between Andrew Jaquith's "Anti-Virus, not dead but twitching..." and James Atkinson's “Telephone Defenses Against the Dark Arts”. I opted for the phone security session and spent the next two plus hours in the ultra-nerdly and technical preso. It was great- see my guest blog post about it on the SOURCEBoston blog.

The evening's reception was fantastic as a large crowd gathered on the sixteenth floor to eat, drink and talk. The conversations continued throughout the evening and eventually moved downstairs and went on until the small hours of the morning.

Although I didn't get to attend on Thursday or Friday, the Twitterfeed had a steady stream of news. Wednesday's keynotes by Dan Geer and Steven Levy received rave reviews, as did Friday's L0pht Heavy Industries' "reunion" panel (There is was a somewhat-confirmed baseless rumor that L0pht is getting back together in some form or another- See Space Rogue's comments below).

Where is this "confirmed rumor" coming from? Basically Symantic owns all the L0pht IP, they even have the domain name. I suspect if we tried to doing anything under that name they would probably have something to say about it, not to mention that Silicosis still works there.

I suspect that there may be some individual collaboration between a few ex-l0pht folks in the near future but getting back together as a full group just ain't gonna happen.

- SR

It is clear that I missed many very good presentations, the full list is at http://www.sourceboston.com/sessions/.

A special bonus at SOURCEBoston was the chance to meet several other Security Twits in person for the first time, notably "old friends" Ryan Naraine from eWeek and Jennifer Leggio, Keeper of The List.

Now I'm waiting for word on next year's conference.

*"Tito Jackson"? Poor guy, going through life with a famous name like that- what were his parents thinking?

Jack Daniel

Shmoocon, Day Two

Except for morning arriving too early, too bright and too loud- another great day.

A couple of references: the Shmoocon website and the speakers page.

An explanation of Shmooballs: ShmooCon 2008 is continuing in the tradition of arming attendees with ShmooBalls (a soft aerodynamic object of some sort). This is in an effort to facilitate a frank and open discussion of opinions. Speakers are encouraged to present innovative ideas that not everyone agrees with. Audience members are encouraged to use their ShmooBalls if they disagree.

First presentation was a tough choice, I passed up a great wireless talk to attend Mouse's inside look at voting systems. I have been concerned about voting systems for years- and after last year's talk by Avi Rubin and last night's talk by Alex Halderman I chose to hear more about the research that has been done. Mouse is on the team that did an in-depth analysis of the voting systems in Ohio after the fiasco of the 2004 elections. The phrase "one voter really can make a difference" takes on a new and ominous meaning in light of the findings on system vulnerabilities.

Next I went to the "Forced Internet Condom" talk, a couple of former ISP abuse department guys delivered their mea culpas and explained why the traffic filtering they once supported is the wrong approach. Takeaway, Sandvine and their customers are not very nice. "Intelligent traffic management" is a polite way of saying the ISPs have oversold their networks and are now controlling what their customers can and can't do on "their" Internet- and changing terms of service as they see fit to cover it. How bad is it? Commonly filtered ports now include TCP 21, 25, 80 (inbound), 111, 135-139, 445, 1433-1434, 3128, 4662 and 36781; UDP 135-139, 161, 445, 1434; and a few stray protocols.

At noon I went to see Jay Beale's preso on "They're Hacking our Clients". Jay is a very sharp man, but I was underwhelmed by this talk. He seemed to be proposing manually doing what agentless NAC already does (or claims to do). I think Palo Alto Networks are already where he is theorizing we should be going. Early in the talk Jay became the first victim of Larry Pesce's compressed-air powered Shmooball cannon- a yell of "fire in the hole", a load pop, and the air was full of Shmooballs.

After a little lunch and some time in the Lockpick Village I caught Simple Nomad's "Practical Hacker Crypto". It was informative and entertaining, as his talks always are. After a shot at Ovie Carroll (from the Cyberspeak podcast), Simple delivered the most solid advice of the con, "don't do dumb shit". A little light on specifics, but irrefutable advice. Simple later proposed PDP, the Plausible Deniability Protocol- under the topic of WWDKD (What would Dan Kaminsky do?). The now-infamous Mr. Pesce and his cannon struck again during the talk.

At 4:00 I went to one I had been looking forward to, a talk on small business security challenges. Displeased with their ideas, I threw Shmooballs and challenged their contention that small businesses are easier to secure than larger entities. To their credit one of the presenters, Pete Caro, found me in a hall later in the day and asked if we could continue the conversation tomorrow. I'm looking forward to it. That will be at least one blog post of its own, hopefully soon.

For the final time slot I went over my head into "Advanced Protocol Fuzzing" with Enno and Daniel from ERNW. I think it went over many people's heads, but I stuck it out and am glad I did. Crashed Cisco gear is a perennial crowd favorite, and they delivered. The preso, followed by a hallway chat with Chris Hoff and Daniel convinced me that I need to learn about VRRP and think about trying to break VRRP, HSRP and WLCCP. If I make any progress, that should be a few blog entries.

Chris Hoff and I have also been delivering running commentary on Shmoocon on Twitter. (There's another blog entry in the works, the growing Security Twitterati community). Chris' tweets are here and mine here.

Jack

Available vs Too Available, or how to simplify DLP

One thing that is largely missing from discussions of Data Loss/Leak Prevention is the idea that taking some data offline is a simple and effective means of preventing data loss. Information needs to be accessible in our "Information Age", but how accessible is too accessible?

 

Let's make this more tangible. Suppose you are headed out for a night in "the Big City", are you going to carry all of your financial records, safe deposit box keys and stock certificates with you as you navigate the subway?  Or will you carry just enough cash for the evening, only one or two credit/debit cards (maybe just one "firewall account" card), and tone down the jewelry?  Good choice- you NEED to have access to all of those high-value things, but you don't need immediate access at all times.  In fact, immediate access at all times is a pretty bad idea- that's why you have stuff locked away in the safe deposit box, right?

 

Maybe you don't need all of your data immediately available, either.  Maybe a virtual file or database server can host some of your data- and only be brought online as needed.  I know it isn't always that simple and that individual databases often house both mundane and confidential data, or house both frequently and infrequently accessed data (there's another issue, eh?), but think about taking data offline to protect it instead of just adding more layers of defense and complexity.

 

If you want a thorough introduction to DLP check out Rich Mogull's DLP primers at Securosis.  As Hoff pointed out, though, if it takes seven posts and 10,000 words to provide an introduction to something, it may not be ready for prime-time.

 

Jack