Defense in Depth?

Thomas Ptacek recently opined on Twitter:

"Defense in depth is one of the great bills of goods the security industry has sold IT."

As you can imagine, this led to a lively discussion among the Security Twits- a respected member of the security community (and really smart guy) attacks a fundamental tenet of security.  At first I thought he had simply been working too long and hard and had lost it, but then I saw the key word in his pronouncement:

"sold"

Ah, this angle works for me.  As an under-funded small-business IT guy (a redundant statement, I know) I have always relied on defense in depth, and built it into any system I could.  Don't get me wrong, I paid for some of the depth, but I did not buy defense in depth.  The layers have to make sense and work together. 

Another angle which works is more theoretical. If we had fundamentally secure systems to begin with we wouldn't need (or have) an entire enormous industry dedicated to selling bandages for mortally wounded systems.

  

 

 

Wouldn't that be nice?  We could have yet another discussion about that, but that would be beating a horse which is not only dead but already processed into gelatin, dog food and glue.

 

 

 

Jack

RSA Security Bloggers Meet-up

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.

Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.

Jack

Security Bloggers Meetup at RSA

I am looking forward to the Security Bloggers Meetup at RSA next week.  A couple of weeks ago at SOURCE Boston I got to put faces (not just avatars) to Twittering and blogging friends I only knew through online interactions- I expect to make many more face-to-face connections at the RSA meetup.  Given the reputation of RSA evenings in general and the Security Blogger Meetup in particular, I can't be sure that I will remember much- but I know there will be video to help jog my memory.

See you there?

 

Jack

SOURCE: Boston 2008 (updated)

SOUCE: Boston 2008 has just ended and it was great. Source is a little hard to categorize; it was part executive-level symposium, part hacker con, with a few other things tossed in for good measure.

I was only able to attend on Wednesday, but I kept up on things from my desk on Thursday and Friday by following a very active Twitter stream from the event.

Wednesday kicked off with introductions followed by a short talk by Tito Jackson*, the IT Director for the Mass Office of Business Development. Jackson's talk was very upbeat about the state of technology in Massachusetts (as you would expect), but some of the numbers really are impressive given the current economic situation. Jackson was followed by a keynote from Richard Clarke. Clarke is a very good speaker and started (after the obligatory Elliot Spitzer joke) with a recap of the history and current state of cybersecurity in the United States and recent events which have refocused attention on cybersecurity. Unfortunately Clarke started wandering away from his real areas of expertise and eventually jumped the shark and ventured into bogus generalizations and speculation. His strong statements on privacy violations could have brought him back from the brink, but by the time he suggested ideas like laws regulating secure code and requiring ISPs to clean up the Internet for us he had lost a large part of the audience and it was just residual respect and decorum which kept him from being heckled.

After the keynote the three tracks split up and the choices became difficult (always a good sign at a con). The tracks were loosely defined as "Business and Security, "Application Security", "Security and Technology" and not being a coder I wasn't tempted by much in the Application track- but I later heard there were some excellent ones, such as Andrew Jaquith's Anti_virus preso. I chose to hear Mike Rothman's "How Compliance Can Get You Killed"- but really wanted to see Roger Dingledine's "Making TOR Play Nice with the Internet" talk, too. I'll have to wait for the videos to see Roger's, but Mike was as entertaining and informative as always.

The next tough choice for me was between Michael Rash's "Advanced Linux Firewalls" and "Disruptive Innovation and the Future of Security" by Rich Mogull and Christofer Hoff. I couldn't pass up the dynamic duo and they didn't disappoint. It was their first pass at what is an evolving presentation- it was good and will improve with a little polish. They tried to cover more Disruptive Technology topics than would fit in the time allotted and that limited the depth of the presentation, but even in "rough cut" form it was a refreshing change from most of the mundane "Business of Security' kind of talks.

The tough choice for the end of the day was between Andrew Jaquith's "Anti-Virus, not dead but twitching..." and James Atkinson's “Telephone Defenses Against the Dark Arts”. I opted for the phone security session and spent the next two plus hours in the ultra-nerdly and technical preso. It was great- see my guest blog post about it on the SOURCEBoston blog.

The evening's reception was fantastic as a large crowd gathered on the sixteenth floor to eat, drink and talk. The conversations continued throughout the evening and eventually moved downstairs and went on until the small hours of the morning.

Although I didn't get to attend on Thursday or Friday, the Twitterfeed had a steady stream of news. Wednesday's keynotes by Dan Geer and Steven Levy received rave reviews, as did Friday's L0pht Heavy Industries' "reunion" panel (There is was a somewhat-confirmed baseless rumor that L0pht is getting back together in some form or another- See Space Rogue's comments below).

Where is this "confirmed rumor" coming from? Basically Symantic owns all the L0pht IP, they even have the domain name. I suspect if we tried to doing anything under that name they would probably have something to say about it, not to mention that Silicosis still works there.

I suspect that there may be some individual collaboration between a few ex-l0pht folks in the near future but getting back together as a full group just ain't gonna happen.

- SR

It is clear that I missed many very good presentations, the full list is at http://www.sourceboston.com/sessions/.

A special bonus at SOURCEBoston was the chance to meet several other Security Twits in person for the first time, notably "old friends" Ryan Naraine from eWeek and Jennifer Leggio, Keeper of The List.

Now I'm waiting for word on next year's conference.

*"Tito Jackson"? Poor guy, going through life with a famous name like that- what were his parents thinking?

Jack Daniel

Twitter

There is a growing community of security folks on Twitter. Not sure what Twitter is? Ask Wikipedia. Just don't ask why. Twitter is an addictive little thing, and some people really like it- including me. Chris Hoff and I Twitter-cast coverage from Shmoocon last weekend and I expect to do so again for relevant events, such as RSA. I'll add a Twitter widget to the blog for such events in the future, but it will probably only be active for specific events. If you really want to see all of my updates on everything from traffic and weather to caffeine and alcohol you'll have to follow me on Twitter.

Jennifer Leggio's blog has the definitive list of Security Twits. Not sure I really like that name, though. It make it sound like we're Steve and Leo's minions.

Note: as Twitter users all know, Twitter is the MG of social media sites. That is, it is lightweight, nimble and fun- when it works. Just like an MG, Twitter's lack of reliability is legendary. (I didn't even know Lucas made web servers).

Jack

Shmoocon, Day Two

Except for morning arriving too early, too bright and too loud- another great day.

A couple of references: the Shmoocon website and the speakers page.

An explanation of Shmooballs: ShmooCon 2008 is continuing in the tradition of arming attendees with ShmooBalls (a soft aerodynamic object of some sort). This is in an effort to facilitate a frank and open discussion of opinions. Speakers are encouraged to present innovative ideas that not everyone agrees with. Audience members are encouraged to use their ShmooBalls if they disagree.

First presentation was a tough choice, I passed up a great wireless talk to attend Mouse's inside look at voting systems. I have been concerned about voting systems for years- and after last year's talk by Avi Rubin and last night's talk by Alex Halderman I chose to hear more about the research that has been done. Mouse is on the team that did an in-depth analysis of the voting systems in Ohio after the fiasco of the 2004 elections. The phrase "one voter really can make a difference" takes on a new and ominous meaning in light of the findings on system vulnerabilities.

Next I went to the "Forced Internet Condom" talk, a couple of former ISP abuse department guys delivered their mea culpas and explained why the traffic filtering they once supported is the wrong approach. Takeaway, Sandvine and their customers are not very nice. "Intelligent traffic management" is a polite way of saying the ISPs have oversold their networks and are now controlling what their customers can and can't do on "their" Internet- and changing terms of service as they see fit to cover it. How bad is it? Commonly filtered ports now include TCP 21, 25, 80 (inbound), 111, 135-139, 445, 1433-1434, 3128, 4662 and 36781; UDP 135-139, 161, 445, 1434; and a few stray protocols.

At noon I went to see Jay Beale's preso on "They're Hacking our Clients". Jay is a very sharp man, but I was underwhelmed by this talk. He seemed to be proposing manually doing what agentless NAC already does (or claims to do). I think Palo Alto Networks are already where he is theorizing we should be going. Early in the talk Jay became the first victim of Larry Pesce's compressed-air powered Shmooball cannon- a yell of "fire in the hole", a load pop, and the air was full of Shmooballs.

After a little lunch and some time in the Lockpick Village I caught Simple Nomad's "Practical Hacker Crypto". It was informative and entertaining, as his talks always are. After a shot at Ovie Carroll (from the Cyberspeak podcast), Simple delivered the most solid advice of the con, "don't do dumb shit". A little light on specifics, but irrefutable advice. Simple later proposed PDP, the Plausible Deniability Protocol- under the topic of WWDKD (What would Dan Kaminsky do?). The now-infamous Mr. Pesce and his cannon struck again during the talk.

At 4:00 I went to one I had been looking forward to, a talk on small business security challenges. Displeased with their ideas, I threw Shmooballs and challenged their contention that small businesses are easier to secure than larger entities. To their credit one of the presenters, Pete Caro, found me in a hall later in the day and asked if we could continue the conversation tomorrow. I'm looking forward to it. That will be at least one blog post of its own, hopefully soon.

For the final time slot I went over my head into "Advanced Protocol Fuzzing" with Enno and Daniel from ERNW. I think it went over many people's heads, but I stuck it out and am glad I did. Crashed Cisco gear is a perennial crowd favorite, and they delivered. The preso, followed by a hallway chat with Chris Hoff and Daniel convinced me that I need to learn about VRRP and think about trying to break VRRP, HSRP and WLCCP. If I make any progress, that should be a few blog entries.

Chris Hoff and I have also been delivering running commentary on Shmoocon on Twitter. (There's another blog entry in the works, the growing Security Twitterati community). Chris' tweets are here and mine here.

Jack