If you haven't heard, there is a new smartphone entering the market tomorrow, June 29th. Apple has publicly stated a goal of selling 10 million iPhones in 2008. In the larger world of the smartphone market, 10 million total iPhones is not a huge market share. According to market analysis data shared by Symbian, Gartner says that in 2006, 72.9 million smartphones were shipped. This is a 50% increase over 2005. What you should be concerned about is the expected rapid penetration of all smartphones. Canalys predicts global shipments of smartphones to reach 1 billion by 2012. That's 1 billion handheld devices with gigs of storage, a USB connector, a Bluetooth interface and connectivity to the cellular as well as wifi networks. Moore's law aside, nobody could have predicted that those 1980s era big black box cell phones would morph into a pocket sized computing platform rivaling most computers just 10 years ago.

If someone in your organization hasn't already asked your IT team to support one of these devices, then chances are they already exist and you've chosen to ignore it. Here is your two by four smack to the behind. If Apple's market penetration of the iPod is any predictor of the iPhone, then you can easily anticipate the thundering heard. You can either choose to embrace the change, fight it or ignore it. As a security professional, I suggest a skeptical embracement of the iPhone. And to the overall goal of supporting smartphones in your enterprise, I suggest four top line items for you to consider.

1 Embrace the Need
No matter how much you may want to think that a no tolerance policy keeps these devices away from your networks and company intellectual property, you must learn to accept the truth. There are smartphones, ipods and USB drives in your offices. There are employee, vendor and customer information residing on unapproved storage medium. Don't ignore the requests for IT to support handheld devices, but choose to be proactive. Investigate the options available; speak with your users and vendors to find a palatable solution.

2 Centralized, Supportable, Risk Mitigation
While you are investigating your options, think: centralized, supportable and risk mitigation. Like any good enterprise deployment, you want the biggest win with the least amount of overhead. Consider a solution, which can be centrally managed, and works within existing supported infrastructure. Make sure that you can support the system with an SLA that you, your users and managers can accept. Furthermore, adding service for smartphones may increase the risk posture for your company or other business units, customers and vendors. Its important to consider the possible risk side effects. Those who are process oriented may want to include the services in an information risk analysis and the company business impact analysis

3 Entry and Exit
Networks are no longer the classic cloud protected with a pinprick of an opening and a T1 to the Internet. Not only may we have hundreds of approved ingress and egress points, but also there is the other unknown, possibly dynamic, number of holes. The advent of software VPNs, wireless LANs and now handheld multinetwork interface aware devices are turning networks into moldy Swiss cheese. One item to address -- your wifi networks. If you haven't locked down your wireless networks, do so now. Make sure those wireless networks are first, outside your corporate LAN and second, require encryption, authentication and authorization to make use of it.

4 A Policy is Like Poker
Make a policy, stick to your guns, but know when to fold your cards. Not unlike the familiar Windows Active Directory group policies, an enterprise caliber smartphone solution allows security teams to create and push policies, which affect the functionality and security of the devices. You'll want to invest in a solution allowing you to centrally manage these policies, while also allowing reporting, logging and control of smartphone activity. In developing that policy, consider methods to protect confidential data in transit and at rest. Just a few include data encryption, password protection, remote data wiping and over-the-air data backup. Policies do solve a need, but be aware one must always consider the balance between security and productivity. If your smartphone policy automatically locks the device after 1 minute of idle usage, users will quickly become angered with having to type the unlock password countless times throughout the day.

Even if this isn't your wake up call, it may be time to readdress your security posture when it comes to smartphones. Hopefully, these 4 items will guide you and your enterprise to a more comfortable place.

Trust is part of our daily lives. Its what gets us to work in the morning and its what keeps our society from going insane. That car in the lane next to me on the freeway this morning, I trusted it not to swerve into my lane and cause me to go careening off into the guardrail. But, did I trust the car or the driver? How is trust created and are we using regulations and money to buy customer trust?

On Tuesday July 17th, the Deputy Attorney General made remarks at the Corporate Fraud Task Force, in which he said.

"For the past five years, the Task Force has worked to restore public confidence and trust in the American business community." Deputy Attorney General Paul J. McNulty, July 17th, 2007

What does this have to do with information security?
McNulty's quote refers to Sarbanes Oxley and other regulatory matters put in place since the "Enron and WorldCom" fallout. While he does pointedly say business community, he still talks of business as an entity capable of trust. Many of us like to think we trust an organization, a business or some concrete entity. Regulation does not drive trust in a business, it aids in ensuring that people do the right thing. Further, the people for whom in we really should be questioning our trust are the auditors. Adherence to regulation can, today, only be fully measured by a human. It is the auditor for whom has the job to rate compliance.

The point(s)
The crux of this discussion of trust is that businesses and consumers have since come to define their trust in another company based on regulations and frameworks. The first thing we ask for from any potential vendor is their latest audit findings (SAS70, SysTrust, etc). It's actually become a cop out for many, as opposed to doing the real personal work of investigation. Fail to provide a SAS70 report and you can instantly expect to either loose the deal or need to reduce your bid by 50%. Somehow its thought that a good audit translates into a well-run company for which we can impart our trust.

Do Audits and regulation equate to trust?
Lets get this out in the open; the SAS70 is one step above a note from your mom. It has no standard framework and it's easy enough to change your stated controls to ensure a passing grade. Yes, the SAS70 report does include both the stated controls and their findings. So you as the evaluator of the findings take the risk in ensuring that the stated controls are what you desire in a vendor. After reviewing a SAS70 report, is the consumer now in a position to trust the provider or is that still in the eye of the beholder?

Those of you who work for a company bound by regulatory policy know the pain very well. According to some estimates, 10% to 15% of your overall IT budget is spent on SOX efforts. While some might say that spending 15% of your budget to gain someone's trust is cheap, but that would be false. That 15% was your admission fee to just get in the game.

Lets move out from the cover of policies, regulations and frameworks as a method to judge trust in a corporation. A person awards trust. Audit reports move us along the road to shared knowledge, but don't be lazy. In order for someone to earn trust, both entities need to co-develop a priori knowledge of each.

Network lockdown checklist

Firewalls in place?	Check
IPS functional?	Check
Antivirus?	Check
AntiSpyware	Check
Everything patched?	Check
Centralized log management?	Check
...
Highly sensitive confidential information leaked over P2P?	Check!

NetworkWorld reports that numerous classified government documents along with corporate confidential information is being leaked by use of peer-to-peer networks. Included in the list of documents found are: "The Pentagon's entire secret backbone network diagram, complete with IP addresses" and "physical terrorism threat assessments for three major U.S. cities". The fright night doesn't end there, many corporate documents were also discovered, including: board minutes; launch plans, growth targets and patent information.

Their networks are setup well, but their configuration management is Swiss cheese

Too much energy is being placed on network perimeter defenses. Those who still believe that a good perimeter wall solves the problem need not look any further for proof to the contrary.

Eric Johnson is a professor at the center for Digital Strategies from Dartmouth College who testified at the House Committee on Oversight and Government Reform regarding this issue of inadvertent information disclosure.

Quoting from the NetworkWorld article:

"I spend a lot of time with CISOs and CIOs who think they have locked down their networks and made it difficult for people to join P2P networks," Johnson said. But those controls fail when employees take work home and then connect their systems to a P2P network. "CISOs can do a great job hardening their own networks but controlling what thousands and thousands of individuals do is impossible," he said

Mr. Johnson paints the picture perfectly; the problem is not with the networks, but with the overall configuration and compliance strategy. There is a classic use case when it comes to managing PCs that prove the difficulty of the situation.

The use case

The IT department configures and deploys systems based on a common operating environment. This includes hardware, an operating system and software all configured to a known gold standard. When that device leaves the hands of IT, it instantly changes and it changes in so many unpredictable ways. Even with a good set of centralized administrative controls like Group Policy Objects on Windows, extraneous business needs lead to weaker controls. For example, many enterprises permit the user local administrator access to the system in order to install patches or run legacy applications. Not to mention that not every organization is running Windows 2003 server with Vista on the end points. These reasons and many others open the door for persons to install applications, make changes and overall quickly divert from the IT gold standard.

Continuous Compliance

Beginning with the gold standard is a must, but more importantly once the device leaves the nest of IT, it must be continuously monitored. This is one job of the vulnerability, configuration and compliance strategy.

According to the story at hand, the information was inadvertently leaked using peer-to-peer file sharing applications. If the device were under continuous configuration monitoring, then the application such as LimeWire, Kazaa or other would have been discovered and reported to the security operations team for investigation.

This is the latest security challenge and every organization must tackle the possibility of loss of confidential information and intellectual property. Continuous monitoring has to be addressed as a component of a layered proactive strategy.

Quick note for anyone at BlackHat this week.

nCircle is a sponsor at BlackHat USA 2007. There is a contingent of us at the show. Stop by the booth and say hello.

Sarbanes Oxley, ISO 27002, GLBA - what do they all have in common? Yes, each contain, at least in part, an information security standard or regulation. From an applicability perspective with respect to business size, relatively few small or medium size businesses are directly mandated to conform to these or other standards and regulations. Even though it is the upper end of the medium size business and large business throughout, which are affected by mandated standards, the smaller companies are still being affected by a trickle down movement.

The trickle down effect was originally coined as a marketing term to describe the availability of consumer goods among socioeconomic classes. As new, highly desired, products were put in the market, their initial high price tag meant only those with discretionary cash could afford it. Eventually, overtime the product becomes more penetrated into all markets as the price drops. Thus trickling down to its full market reach. Those familiar with Reagonomics will find the term "Trickle-down economics" one of common rhetoric - providing more working capital to the top tier businesses trickles cash down to the lower working class. Many other trickle down models have been explored; one, which seems to be in play today, is that of information security.

The typical profile of an nCircle customer is one of a multinational, global enterprise as well as local, state and federal government agencies. These are the entities for which regulation like SOX, FISMA and GLBA are targeted. It's also the same subset, which employ standards such as COBIT and ISO 27002. Each of our customers has lengthy contractual security agreements that each of their vendors must adhere to. These in turn, have been driven by their required regulations and standards. nCircle likewise returns the effort by ensuring its vendors employ meaningful security measures. The outcome is a security trickle down affect.

Selling to these enterprise and federal organizations have altered the way my team addresses security at nCircle. While our strategic and tactical methods for controlling risk met every stipulated requirement, we lacked organized and fresh documentation. Today, our policies, procedures and records are much better kept. We have an official InfoSec team, executive approved SLAs and up-to-date standard procedural documentation.

What's more interesting are the ways in which our customer's requirements influence nCircle's vendors. Any potential vendor to nCircle must disclose their information security practices to us. We take a graduated approach depending on what information the vendor may have access to. Depending on what risk the vendor might pose to us, and likewise to our customers, the third company must answer anywhere between 20 and 100 questions before they are evaluated by the InfoSec team. We are proud to see these vendors step up their own information security practices to meet our requirements.

While it might be hard sometimes to look beyond the security breaches of Fortune 500 companies and federal agencies to see that security is moving in a positive direction, the same is still said of the Reaganomics era. The actions of our customers, of nCircle and of our vendors when it comes to driving information security can, by some degree, be attributed to a trickle down effect. There is no doubt in my mind that a handful of our vendors would be left behind if it weren't for them wanting nCircle's business. The technical tools, policies and procedures that a company uses to reduce risk is still a valid competitive value add. Security is getting better and one driving factor is that of a trickle down effect.

I ripped this blog title off from CSO Online.

In December of 2006, I predicted that we would see a nationally recognized information security rating system come to fruition in 2007.

In today's financial markets investors rely on analyst reports and metrics. Often time simply referred to by the company providing the metric - Moody's, Morningstar, Fitch and others. As an investor, these rankings and metrics generally weigh heavily in decision factors. However, we have no security index or rating systems. If as a consumer, you had a choice to take a loan from two companies with varying different security index ratings, you might think twice. Would you want to risk your personal information being negligently handled in return for a lower rate or take a slightly higher rate knowing your information is safer?

Well, 15 months later, Moody's will be announcing their own Vendor Information Risk Rating Service soon. That according to this article in CSO Online.

As a security manager, I can't wait for the day when this tactic is mainstream. The amount of time, resources and lost opportunity given to individually assessing each vendor security practices drives me nuts. Lets hope Moody's does this well. Even more so, lets hope that every independent and trusted rating company jumps on the bandwagon to drive competition in this new marketplace.

In Newsweek, Daniel Gross said there is a growing "crisis of confidence" when it comes to Wall Street. The evidence is readily available - the fall of Bear Sterns, the sub prime mortgage mess and consumer confidence declines to new lows. For the second year, Audit Integrity provided their annual data to Forbes and they have likewise published the data as the "most trustworthy companies". Audit Integrity claims to have an objective means of analyzing a company to deliver an accounting and governance risk score. What that means is simply stated something like, "those companies that play by the rules and take few risks when it comes to creative accounting get a higher score". The higher the score is supposed to equate to a higher level of trust.

While it's the market data that gets the majority of the headlines these day, it's the use of the careful words now being used that gets my attention. Words like: confidence, trust, trustworthy, fear. Sound familiar? They are the exact same emotional words we use in information security.

And while this blog isn't intended to discuss financial market stability, it is about risk management. For us in the information security world, open your eyes; there is a giant event happening outside the bubble of your office. Trust is at an all time low. If you've been in any services oriented group, infrastructure or operational setting for a while you've probably already witnessed what happens when trust is lost - its never regained to the levels it was once before.

To accept a vendor's information security practices, is to some degree to say, "I trust you". Is that an accurate use of what just happened? Or, are you as the person held responsible for ultimately keeping your company's information secure, actually thinking,

"Our information security due diligence process that took months (and way too much money) derived some kind of fallible rating that didn't fall into the bottom of the failure category. As such, we can do business, but I'm going to hand over reams of documents and disclaimers to some legal team which now has the job of limiting our risk by contractual risk avoidance disclosures".

We don't enjoy apathy or lackluster personal performance. And we don't relish the requisite current toolset either. Yes, we have regulation. Yes, we have defined standards and we also have auditors, reports, disclosures and exceptions. And yes, we are suppose to use all that to provide the business guidance in determining the best route to deliver the upside, reduce risk and keep costs down.

While Audit Integrity's list of the America's Most Trustworthy Companies might seem hard to grapple for an information security professional, the idea itself provides hope to this infosec person that, one day I might see a similar list of the America's Most Secure Companies. Though, infosec still has many years of maturity before we can start deriving standards based scoring anywhere on par with the financial models. Hopefully, though, we can learn from this crisis of confidence and not repeat history.

nCircle is at RSA this week and we have remote control helicopters. Lets face it, people like to get free stuff at conferences. So come by the booth and learn how to get yourself one of these very cool RC helicopters.

And while I have your attention, we also have two employees speaking this week.

When: Friday, April 11 at 9:00 AM - 9:50 AM
Title: Using Game Theory to Outmaneuver Your Opponent
Location: GREEN ROOM 102
Speaker: Tim Keanini

Technology Showcase Presentation
When: Wednesday, April 9 at 11:30 AM
Title: Effective Scanning for Production Web Applications
Location: Booth 2603 (lower right corner of the show floor)
Speaker: Tim Erlin

Did Apple forget to patch something? By the look of things, the DNS client on the OSX 10.4.11 distribution still has not been patched.

A lot of people, including myself, have been prodding Apple on why they are so late to the table on this DNS patch. All the major vendors, within a few days, had at least made a public statement about the issue. As for Apple, they have been characteristically quite, which never seems to work in their favor. The general counter argument has been that since OSX is not a widely popular recursive DNS server, they haven't been putting their users in too much jeopardy.

As things normally go with Apple, they sprang an update on us. Late in the day yesterday, we got security update 2008-005. This release includes an update for Bind (along with a good number of items worth reviewing).

Excerpt from the release notes:

*BIND
CVE-ID: CVE-2008-1447

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4

Impact: BIND is susceptible to DNS cache poisoning and may return forged information

Description: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.

No Port Randomization

The current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomization of the query ID and the source port. Essentially, making it all the more difficult to spoof the DNS response. However, it appears that Apple forgot something. The client libaries on my OSX 10.4.11 system, post patch install, still does not randomize the source port.

Here is a comparison between a patched FreeBSD 6.3 system and my OSX 10.4.11 system.

FreeBSD 6.3

08:49:58.405934 IP [BSD].64328 > [SERVER].domain: 39741+ A? www.yahoo.com. (34)

08:50:02.708123 [BSD].51023 > [SERVER].domain: 45758+ A? www.yahooooo.com. (35)

08:50:07.625034 IP [BSD].50648 > [SERVER].domain: 23806+ A? www.www.net. (29)

OSX 10.4.11

08:05:47.741385 IP [OSX].49193 >[SERVER].domain: 55613+ A? www.cnn.com. (29)

08:05:48.207547 IP [OSX].49194 >[SERVER].domain: 1106+ PTR? 21.91.236.64.in-addr.arpa. (43)

08:05:51.717245 IP [OSX].49195 >[SERVER].domain: 27650+ A? www.cnn.com. (29)

The Bottom Line
For Apple, it matters most that they patch the client libraries since there are so few OSX recursive servers in use. The bottom line is that despite this update, it appears that the client libraries still aren't patched.

Update:

Swa Frantzen, the SANS Handler on duty, discovered the same thing on OSX 10.5.4

Thanks to Gregg Keizer for covering this topic at ComputerWorld.

And Ryan Naraine also found this interesting enough to cover at the ZDnet Zero Day Blog.

Many Patches Get Replaced

When it comes to Microsoft Patch Tuesday, August might just be better classified as a do-over. Of the 11 bulletins released today, 7 of them replace former bulletins. The bulletins being replaced are an interesting diversion in their own right. One dates back to 2003 while others were just released in the past few months. In one case, MS08-026 a remote execution in Word, has now been superceded by three new bulletins this month.

08-041 replaces 03-038
08-042 replaces 08-026
08-043 replaces 08-026 and 08-14
08-044 replaces 06-039
08-045 replaces 08-031
08-048 replaces 07-056
08-051 replaces 06-058 and 08-026

Is this a case of bad patch or new vulnerability? In all likelihood, the replacements signify a bit of both. A common tactic for any researcher is a history lesson in what you are investigating. By focusing your microscopes on older patches, 2 sets of clues are generally reveled - where code changed and what kind of changes occurred. The 'where' and the 'what' of any code base tells a lot. Where code was altered gives a researcher clues as to important locations for further inspection. Similarly, the 'what' tells a researcher what kind of functions or routines have been problematic in the past and might prove to be troublesome again. Chances are we are seeing additional fixes for past vulnerabilities as well as new flaws found by means of these history lessons.

Kill Bits Galore

Security advisory 953839 was also published today. The intent on this cumulative security update is to issue new kill bits for known vulnerable controls. A kill bit is a value in the registry, which instructs your computer not to execute the control if it is requested. This does not remove or update the vulnerable code, it just simply tells your computer not to run it. In today's update, we received roughly 90 kill bits on class identifies related to products by Aurigma and another 20+ on products from HP.

This is not the first time that Microsoft has utilized patch Tuesday to distribute kill bit settings from third party applications. While this method may be viewed as novel now, it will soon become relentless and tiresome as time moves forward. The reason is partly based on what we learned from Microsoft at last week's BlackHat talk. Microsoft announced their new security initiatives, one of these being their active efforts to deliver a holistic more secure system to Windows users, even if it means finding bugs in 3rd party products. Going forward, we can expect Microsoft to find vulnerable ActiveX controls and issue kill bit updates on patch Tuesday, thus making Windows generally more secure and providing the 3rd party vendor time to release proper updates for their software.

The Time Has Passed For Apple To Embrace A Security Development Lifecycle

Last week Apple proved that they are not ready for prime time enterprise relationships. Apple has tried to position their iPhone as enterprise ready, but this last round of software updates demonstrated beyond a shadow of a doubt how far they have to go to understand the enterprise mentality.

On September 9th, Apple released updates to some 20 security vulnerabilities that included updates to QuickTime, iTunes and other software. On September 12th, Apple released iPhone version 2.1, which was intended to fix 8 security holes and repair 3G connections problems. On September 15th, Apple released updates to OSX that includes fixes to nearly 70 security problems. On September 16th, Apple released updates to Remote Desktop, again fixing more security problems.

In the matter of 8 days, Apple released updates to every one of its major platforms and applications. Those updates included over 100 security updates spanning Mac OSX, Windows Vista, Windows XP, the iPhone and the iPod Touch. So how did that affect enterprise security teams?

On September 9th, security teams met, reviewed the updates, set priorities and assigned resources. Remember that unlike other vendors, Apple did not provide any advanced notification on timing or the magnitude of the updates. This update caught everyone off guard. Then again, without notice, security teams were brought back to the meeting room to discuss the updates on September 12th (repeat drill above). Then yes, you guessed it, same story again on September 15th and again on the16th. Who knows, maybe by the time this hits our blog, there will be another update?

Every IT staff is already resource constrained and some teams always are in a passive firefighting mode. If your security team thought it was almost caught up with Apple updates already issued this year, the last week set you back significantly and probably pushed other, potentially critical, scheduled work into a wait state.

Mind you that last week's updates just didn't stop at OSX. Even if you run a Windows shop that permits QuickTime or iTunes, you couldn't ignore this torrent of updates. The impact of this random update cycle from Apple may be serious enough that some companies decide to limit or stop using Apple hardware or software entirely. After last week, IT teams running ragged by the deluge of unannounced patches are wishing they could make the policy decision to get all Apple software off the network. With this kind of uncertainty and apparent lack of planning, who can blame them?

Apple had an opportunity to embrace the enterprise by showing leadership in its software development lifecycle. And while we would never expect Apple to follow Microsoft's footsteps, they could have learned what works and what doesn't in the enterprise, and then in their Apple way, take it to the next level. I think that's what many Mac fans in the IT department were hoping for. Too bad we had such a big let down last week.

We'd like to see Apple embrace public discourse regarding security updates. We respectfully suggest that Apple sit with enterprise managers, listen and then take the information they receive and build a process that doesn't leave IT teams staggering.

Instead of wasting the valuable time and resources of their target customers, Apple could take the opportunity to perform the way they have done in other markets. This assumes that Apple can apply their creative, customer focused energy that has made them a powerhouse in the consumer market and put some of that effort into collaborative partnerships.

We'd love to see Apple step up and change the game in software development lifecycle, or at least learn to play the game with the best of them. Apple, we're rooting for you, but it's gonna take a whole lot more than you've shown us so far. And we have to tell ya, hip and cool can only take you so far in the enterprise.

When it comes to reducing risk from cyber terrorism, the federal government faces the same difficulties as the private sector. This was one of my takeaways from an invite-only bloggers roundtable with the chief of Homeland Security, Michael Chertoff, the current secretary of the DHS.

In a room much too large for the 3 bloggers and a single member of the SF Chronicle press on the Stanford campus, we were afforded a unique opportunity to speak candidly with the co-author of the Patriot Act and the second person to hold the highest national security position post-911.

We were told to arrive at the designated location with enough time to clear security. After finding the golden trophy of a guest parking spot at Stanford, I fumbled around the campus in an attempt to find the correct building. Walking into the foyer of a stone building that fit perfectly into the pristine and majestic grounds, a man in a black suit with a blackberry and surveillance ear piece decided I was in the correct location. Soon I was meeting members of the Secretary's entourage and instructed to move down the hall and past the bomb-sniffing dog where the others were waiting. Minutes later we were passed thru security and were "OK'd" to enter the conference room.

The four of us took our seats and began to wonder aloud if we "were it." A few minutes passed before Mr. Secretary stepped into the room. We introduced ourselves and I had expected at least some kind of small presentation. Instead, Mr. Chertoff offered no more than 3 sentences of welcoming remarks and the floor was open to questions. I felt a bit dumbfounded by the lack of structure, the openness of the situation, and honestly, by the fact that I was sitting just a few feet away from a member of the President's cabinet.

We learned that members of the Secretary 's staff knew that all of us had solicited questions from our reader base via blogs, Twitter and Facebook. Chertoff said these questions would be a good place to start. An uncomfortable smile crossed my face. It was the smile anyone would have when you hear first-hand that the federal government has been reading your blog and Twitter stream. The feeling was partly creepy and partly pride with a dose of "that's not entirely surprising" thrown in for good measure. They did invite me after all, so they had to have done some kind of homework. It turns out that even the federal government uses Google.

We started with questions submitted by our readers, friends and colleagues. In the day leading up to the event I had heard several criticisms that an event like this was a waste of taxpayer dollars. One Twitter buddy went so far as to suggest I was spending his economic stimulus package. The Secretary had anticipated this question. He was on the West Coast for other events and recognized value in speaking with bloggers.

Obviously the Secretary's staff is aware of the ongoing shift away from traditional news to blogs and online outlets. Nielsen Online (1) continues to show a strong uptick in readers moving to non-traditional readership outlets. If you want to get your message out, then you have to engage with the new media, and bloggers are a key part of the new PR world. While the Secretary discussed his likes and dislikes of bloggers, especially "the rants," as he called one of them, I realized that everyone at the table was somehow defined as a leader in that new paradigm.

I asked an obvious question, "What do you expect or anticipate of us as bloggers after today's meeting?" The answer from Chertoff was "to blog." OK then. My first question out of the gate wasn't very interesting and it definitely didn't get me any bonus points.

My follow up question, "When are we going to see a DHS blog?" was also ridiculous since the Secretary does have a blog. Interesting enough, Chertoff said he writes it himself, with some editing help from time to time. I was feeling pretty small since this was something I should have known, until I realized that if I didn't know that the head of DHS has a blog, it's pretty likely that most of America doesn't know either.

My fellow blogger quickly shifted the topic to air transportation security. He asked, "When can we stop taking off our shoes at the airport?" Chertoff answered, "When we have sufficient technology." Airline travel proved to be a hot topic and Chertoff spoke with some consternation about the difficulty of thwarting attacks from a class of terrorists with minimal skills. "And wouldn't it be easy to stow away explosives in a sealed compartment inside my own laptop?" asked another blogger. Typing notes into my laptop, I paused and looked at the questioner from the corner of my eye. I thought, "That guy is about to find himself on the no-fly list."

Ten minutes into the roundtable and I came to a moment of internal clarity. This man was a true professional and he had heard it all. This realization allowed me to settle into a more comfortable position in my chair; I started to feel much more at ease. I realized that this meeting was no different than any of the executive meetings I attend as part of my professional life. And, it was certainly a lot less stressful than being on live national TV. While the others in the room had probably already come to this realization before they entered the conference room, I've never been a quick study on the psychology of Andrew Storms.

I jumped back into the fast paced question and answer situation. I rattled off a question as if I were at the office water cooler: "Cyberterror; Georgia and Estonia have been reportedly been attacked by home-based users in a coordinated denial of service attack. What is the federal government doing to protect our networks from that kind of event?" Chertoff answered methodically and with surprising candor. He said, "Reduce the number of entries (Internet connections), block attacks in real time, do background checks." The answer was almost a direct quote from federal government policy documents. The delivery, on the other hand, was purely genuine. Whether or not he believed these tactics were sufficient, they were the tactics the department is using. Chertoff's reply was crystal clear.

I blurted out my next questions as if I were a Fox News anchor. "Do you have ways to measure your effectiveness?" This question proved to be the catalyst I had been hoping for. It sparked a visible thought process by the Secretary. While saying he did have measurement statistics showing an overall reduction in risk, Chertoff shifted his focus and started speaking about his list of the 4 different categories of risk - network, software/hardware compromise, insider threats, physical threats.

He followed the risk conversation with some thoughts on his own personal philosophy for dealing with the private sector - one of collaboration. He made it clear that he had no desire to force private sector into working with the government to secure their systems. He did not want to be imposing, but if the private sector asked for help, the DHS would be entirely willing to help where they could. The Secretary spoke at some length about points of collaboration, the philosophy of incentives for motivation and his opposition to edicts.

It was tempting to stop and contrast this collaborative approach with the previous topic of airport security where participants are forced to participate in security measures, but the contradiction could easily be explained by the fundamental differences in the complexity of the problem and nature of the two different types of risk.

Unfortunately, there was no time to explore this topic in detail because questions were flying at the Secretary from everyone around the roundtable. The conversation shifted rapidly across a wide range of topics but after a while a new conversation thread with some longevity emerged.

The conversation moved away from securing federal government networks to securing private citizens' confidential information. While the bloggers were ready to blame the FDCC, the general lack of encryption and the loss of physical assets for the staggering loss of private information, Chertoff didn't buy in. He mentally shifted into CTOs' mindset and brushed aside tactical concerns to focus on a more strategic issue. He pointed out that our identity systems are at fault. We use our private information so often for authentication that the risk of compromise has risen to uncomfortable levels. The irony of this response did not escape me. If, in the last years of his cabinet position, he hadn't been so busy with post-911 defensive tactics, would he have been successful at delivering a significant change to our identity systems? The irony is, of course, that if it weren't for 911 this cabinet position would not have existed.

Aside from learning that the no fly list is actually 2500 names instead of the 20 million some had suggested, I didn't learn anything new or groundbreaking. The surprise was that the insightful, intelligent person in charge describing these problems was no different from listening to my own CEO.

For me this was a powerful demonstration of the value of personal communication.
Was it worth the taxpayer dollars to hold this kind of meeting? That's up to you to decide.

Additional Information

Talking to Michael Chertoff (Martin McKeay)

Roundtable with Secretary of Homeland Security Michael Chertoff
(George Ou)

Michael Chertoff: "only 2,500 people on the no-fly list" ( Deborah Gage, SFGate)

More pictures of the event (my Flickr set)

References:

1. http://www.naa.org/blog/digitaledge/1/2008/07/Nielsen-Drudge-Report-Leads-Top-30-in-Sessions-per-Person-Newspapers-Shift-on-List.cfm

New Years' Resolutions for Security Professionals. The real problem is that there are not enough Kaminiskys, Appelbaums, Sotirovs and Kapelas.

So far most of the responses about yesterdays' 25C3 presentation by Sotirov, Appelbaum, et al, have focused exclusively on the technical details. The most common topics include: In theory, could the attack be carried out on a wide scale? Am I at risk? Should I be asking my vendors for answers? All reasonable questions, but they miss the bigger picture.

The question everyone should be asking is, "Why did this take so long?"

Several years ago, I had the pleasure of attending a talk by an active NSA analyst. He talked about his list of massive Internet calamities and specifically mentioned routing, PKI and DNS.

Here are a few security highlights for 2008:

* July 2008, in a massive vendor coordinated event, Dan Kaminsky orchestrates a critical fix to DNS that we later learn could lend a hand in large scale man in the middle attacks.

* August 2008, Alex Pilosov and Anton "Tony" Kapela demonstrate a technique for eavesdropping on Internet traffic that affects BGP, the core routing protocol of the Internet.

* December 2008, Sotirov, Appelbaum, et al, reveal their work on MD5 collisions that could render the trust of SSL sites useless.

So why did these discoveries rock our worlds and light up the news wires?

Simple - it's all about trust. We trust the little yellow lock in the browser. We trust Internet routing works. We trust that when our browser URL says our bank name we are logging into our bank. No amount of security awareness training, videos about phishing, antivirus software or hard disk encryption will thwart these kinds of attacks.

The reason there has been so much noise about each of these revelations is because there isn't any way to defend yourself or your company against them. But the noise masks the larger threat.

The real problem is that there are not enough Kaminiskys, Appelbaums, Sotirovs and Kapelas performing active academic work focused on the centralized services the internet uses as building blocks.

Most people trust their local police force to enforce the speed limit. We trust the local fire department to perform fire safety checks in buildings. The United States employs a huge military to protect its borders. The Internet, however, isn't local and knows no borders.

Earlier this year I asked Michael Chertoff, Department of Homeland Security Secretary, how would the United States protect itself against a DOS attacks the likes of Estonia or Georgia. The answer was a strategic reactionary plan -- reduce the number of entries (Internet connections), block attacks in real time, do background checks.

These are all reasonable answers, but they focus on reactions after an attack is underway. Where are the proactive strategic goals? What about penetration testing or funding academic research into the vulnerabilities inherent in our core trusted services?

It's tempting to assume that the United States does employ researchers trying to break DNS or PKI systems. After all somewhere in the bowels of the government our tax dollars could be funding exactly this kind of research.

The problem with this assumption is that Internet functionality is, for the most part, fairly transparent. No one can slip in a new update to the design of DNS without someone noticing. Also, I have never once seen credit for a vulnerability discovery given to a security researcher employed by the US government.

So, we have fairly large trust issues. US citizens can't trust that our current government is doing the kind critical research necessary to protect one of our most valuable pieces of critical infrastructure. There are very few private citizens with the specialized knowledge and skills necessary to do this research, and these people are not dedicated to the rigorous research the scale of the problem demands.

This leaves all of us with very few options. If you have read this far, you are in the minority of people that have the background to grasp the enormous import of these issues. The other 99.99% of the Internet users are either blissfully ignorant or deathly afraid of all the many things that go bump in their internet night that they have no protection against.

Those of us that understand the tremendous impact of these kinds of vulnerabilities are left to take whatever small steps we can to protect ourselves. I encourage everyone reading here to resolve to proactively engage in thoughtful, responsible research in these services in 2009. Take a step back and take a long look at the many services we generally take for granted: routing, trust services, DNS, time synchronization and the like. If each of us pushed one piece of one these trusted services to their limits whenever we had resources we could help make the internet a safer place for all users.

And, for the moment, we can only depend on each other.

Have the security break-ins at Heartland, TJX and twitter got you in the doldrums?
Has the pre inauguration high dwindled into a post event reality of getting back to work?
Cold weather, gas prices, home sales, Bernie Maddoff - it's nothing but bad news.

Not interested, not convinced, don't know where to start?

Consider this, Privacy Rights ClearingHouse, an independent non-profit, says that 251 million data records of US residents having been exposed due to security breaches since January 2005. That's over 80% of the US population in the last three years. It's certain your personal records have been compromised. If your business hasn't been breached, it won't be long.

Enjoy receiving new credit cards every week?
Enjoy receiving free credit monitoring?
Feel like a high roller receiving every phish, virus and credit card application available?

Do your part to stimulate the bank economy.

Grab a pen and paper, and I will share with you my exclusive, secret, step-by-step program to accepting your own data breach. With these 5 simple steps, you will look like the most visionary person in business.
Join the ranks of the most discussed companies in news outlets everywhere. Soon enough, your company will have its own Facebook page and blogs everywhere will be filled with discourse on your company policy and tactics. Your company name will jump to the top on Google searches.

5 Step Data Breach Readiness Program

Step 1. Buy your employees credit monitoring now. Sell it as a perk. Have HR include it in their benefit handouts. Retail price for a year of credit monitoring is less than $200. Compare that $200 with some other perks like childcare, training or hybrid car credits and executives will find it a good value for both company and employee.

Step 2. Since you never know when disaster might strike, you can offset your liability now with a cyber insurance policy. Buy security insurance and make your executives' offshore shill company the beneficiary. Protect your bottom line and invest in your future simultaneously. Having a good insurance policy may also permit you to relax your IT security budget. Your over -caffeinated IT guys are full of it anyway. They don't need new tools or education. Accept the inevitability of a breach allows you to shift today's dollars into profit centers that will shore up those bad investments you made last year.

Step 3. Admit failure before it happens. Change your company wide privacy policy to openly discuss the real possibility of failure. While your public face says you are doing your best to protect the company assets and the private data of employees, provide an internal honesty statement: "We know you are required to provide us with your private information and we will try to keep it secure, but there will probably be time in the future that your data is accidentally lost or stolen."

Step 4. Develop a security failure crisis communications strategy now. Those silly IT incident plans include pages of technical jargon, why not have the PR team develop their own nonsensical apologetic statements ahead of time? While you are at it, offer a prepaid bonus to a lower level employee for taking the fall when that security incident happens. When the time comes, make sure news cameras tape them walking out of the office with a box of personal possessions and their head covered with a jacket.

Step 5. Embrace the foreign fiend. All security breaches at good hard-working American companies should be blamed on some imaginary hacker from a foreign country. East Asia and Eastern European countries are the most fashionable at the moment. Be smart and go with the flow, but be sure your selected country that has no extradition agreement with the US.

For today only, I am offering you a generous gift of the sixth secret step to my complete package guaranteed to bring you peaceful nights and worry free days.

Step 6. Register your breach domain now. 2008breach.com was snapped up in a hurry. Grab yours now before some cyber-squatter cyber criminal tries to claim your future.

For my complete list and full step-by-step program to ensure total peace of mind, please follow these simple directions.

Send copies of all your credit cards, social security card and drivers license to:

I Want to Live in Infamy
55 No Place St.
Some Town, USA

Or call now, 1 800-Data-Breach! Operators are standing by!

Transparency is a common theme in politics and Wall Street these days. The
2008 elections, dealings of TARP, financial institutions run a-muck are all places where we hear the word transparency bandied about on a daily basis. While many security professionals speak about transparency when it comes to information security, very few definitions fit the overarching idea of transparency. I believe that the time has come for information security professionals to both dig deeper and out of the idea of transparency to gain a better understanding of this concept.

What does it mean to be transparent with security?

Textbooks teach us that information security consists of the CIA triad; confidentiality, integrity and availability. When any one leg of this stool fails, then the entire equation falls apart. Transparency implies actions of openness and accountability. Transparency doesn't imply success or failure of information security; it dictates actions at questionable cross roads.

Information security professionals already understand transparency but we don't use the term the same way economists or politicians use the phrase. Information security people use our own synonyms such as disclosure, process and audit. Each of these terms describes how security teams and companies should carry out transparency. When the politician speaks of transparency he, assumes everyone knows what he is speaking about, and to some degree we do all understand the big picture concept of transparency in government. The network security manager, on the other hand, trying to make the same point clear has a different problem. He wants reliable and clear communications too. He relies on always being told the entire truth and needs an open audit trail. Because computer and information security professionals are accustomed to and rely on the transparent standards underlying Internet functionality, these principles have to carry over into every part of their professional lives in order for them to be successful.


The vendor's role in security transparency.

A vendor can learn to be transparent, but it's a long process. Transparency is part of the culture, part of every business decision and part of a company's foundation. Microsoft, once viewed as the poster child for insecure software and security opacity, has made great strides towards delivering a more secure and transparent products.

Microsoft's lifecycle with its December out of band patch, MS08-078, represents a classic case of true transparency. On December 9th, the media began reporting active exploitation of a new bug in Internet Explorer. The next day, Microsoft publicly acknowledged these reports by issuing Security Advisory 961051. That advisory included mitigation and workaround information. Microsoft continued to update the advisory another 4 times over the next few days. On December 16th, Microsoft issued a notification that a patch would be released the next day. On December 17th, users received the patch as promised. Throughout that week, Microsoft continued to update the security advisory with a change log and speak with the press about the exploit, the vulnerability and it's recommendations. If you look at that same security advisory today, you will still see the change log history and be directed to the patch information. This was probably Microsoft's shining transparency moment for 2008.

That's not to say that Microsoft is not always a paradigm of virtue in transparency, but they clearly know what they need to do and at least on occasion they act on what they know.

What should other vendors learn from this lesson in transparency?

Acknowledgment
The first thing Microsoft did was publicly acknowledged the vulnerability. You could argue that Microsoft would not have publicly admitted the software fault if it had not already been public, but this misses the larger point. Providing information about a privately held vulnerability when no patch is available only increases the risk to those affected.

Workarounds
The second thing Microsoft did was reduce the immediate risk to affected users by supplying a work around. Those of us in the trenches of information security recognize that risk comes in many forms. Managers always request mitigation provisions, even if they can't be immediately applied because mitigation steps provide other methods to help reduce the risk. Security Advisory 961051 included enough technical details that provided enough information to allow managers to understand the risk and decide which mitigation steps were required at each juncture.

Communications Starting from the first advisory to the day of the patch release, Microsoft actively participated in public dialog about the vulnerability. They continued to update the security advisory with new information, speak with the press and use their own blogs to help provide awareness of the issues and risks.

The Consumer's Role

Vendors take transparency seriously by treating their consumers with greater levels of respect and consumers also have a responsibility in this marriage. For a vendor to admit a flaw in their software with the potential for catastrophic security failure is very difficult and requires a huge commitment to transparency. It's understandable for consumers to throw stones at vendors for flaws that should have been disclosed but weren't, it's another thing to double penalize them for admitting the flaw. Consumers need to advocate for an active role in vendor disclosure.

Dear Mr. Storms, I am pleased to advise you that you have been selected to attend the spring session of the 2009 Federal Bureau of Investigation's Citizens' Academy.

After a year of waiting, I was selected to attend the FBI Citizens' Academy. Having first heard of the program thru InfraGard, I was immediately interested in becoming part of the growing community of citizens who get to learn first hand how the FBI functions.

In the San Francisco Bay Area region, the FBI currently hosts 2 sessions a year with an average class size of 30. Attendees are local business, civic and religious leaders that have been nominated by Bureau employees and Academy graduates. The program consists of 5 consecutive weekly evening classes and a "Day at the Range" with the members of the SWAT team.

I'm looking forward to attending the Academy and reporting back to the community.

nCircle Mini RC Helicopters
Attend one of our scheduled show floor presentations and take home an nCircle RC helicopter.

nCircle Eco Bag
Fill out our show floor survey and we'll help you go green with an eco-friendly bag

Win an Amazon Kindle2
Follow nCircle on Twitter by 6pm Thursday April 23rd to be entered into a contest for a Kindle2

Why couldn't Microsoft have kept things easy this month? Last week Microsoft's advanced notification information spelled out a single bulletin for PowerPoint. Given the single outstanding publicly known vulnerability in Microsoft's products, May patch Tuesday certainly looked like it would be an easy one. Alas, we did receive a single bulletin today, but with it came 14 CVEs and a note of more to come.

Don't get caught up in the details

First thing to take away is that newer Microsoft Office products carry on signs of being more secure. Office 2007, with its new office file format, continues to present lower risk levels. Even in the face of zero day bugs like those of Excel in February and now PowerPoint, Office 2007 was noticeably less affected. Now with the PowerPoint 4 format being totally retired, managers have more ammo than ever to go obtain budget for upgrades.

The second important piece not to overlook is that more patches for today's bugs are due out soon. Microsoft recognized that these bugs also affect the Mac Office products, but don't have patches available yet. Releasing patches for only piece of their product line and leaving the Mac users out in the cold is unlike Microsoft. However, given that current exploit samples were less functional on the Mac and given the market share dichotomy between Office Mac and Windows, the split release cycle is understandable.

The third piece of today's puzzle is that after you look over the mass of CVEs patched; don't forget that one of them is the known zero day bug that was described in KB969136. This means that Micrsoft not only patched the known zero day bug as promised, but also went much further at delivering a more secure Office product lineup.

The date is May 12th 2009 and you are a mild mannered IT manager anticipating a single bulletin from Microsoft and a possible update from Adobe. The team has their assignments; their computers are locked and loaded. The team is ready to execute on the planned patch release mechanisms.

At 10AM Pacific Microsoft releases their patch on time. The single bulletin is the anticipated bug fix for the PowerPoint vulnerability. Some members of the team are a bit agitated by the high CVE count and the lack of updates for the OSX Office platform. You are able to quickly refocus the team and move forward. Hours later, rumors hit that not only did Adobe publish their fix, but also Apple released a new revision of their operating system.

In fact both of these things happen and OSX 10.5.7 includes fixes for 67 vulnerabilities. Together the Apple, Adobe and Microsoft patches account for 83 CVE fixes. Now the team is seriously disheartened. Your job is to draw the group together, review the unexpected workload and set priorities. Did I mention that because of the economy, your team is now smaller, but doing just as much, if not more work.

Microsoft produces their risk categorization. Adobe employs yet another risk methodology and Apple also defines bugs in their own way. The lack of any common metric across the three vendors in combination with the additional calculus needed to accommodate your internal risk equations equals uncertain resource drain.

On any normal Microsoft patch Tuesday, most enterprises IT teams have their risk calculators in hand and resources at the ready. Some teams split up the duties between client and server vulnerabilities. Others take the highest risk first no matter where the bug lies. Either way, the security team adapts in order to deal with the Microsoft specific criticality ratings and their exploitability index.

The same thing ensues on an Oracle CPU day. And even when smaller vendors like Adobe release bug fixes, most enterprises know how to massage the vendor specific risk data into their own risk profile equations. This data manipulation is a completely avoidable step.

CVSS (Common Vulnerability Scoring System) version 2 was finalized two years ago. Even before that, CVSS v1 was in play for a number of years. While everyone recognizes that there are some shortcomings with the standard, it is nonetheless a common means to reliably communicate information about risk. It enables vendors to consistently distribute quantifiable information to enterprises who then use this data in their own decision-making engines.

So with this industry wide tool readily available, why is it that today enterprise IT must differentiate and discriminate the various meanings of the word 'critical' from multiple vendors?

On a day like May 12th 2009, enterprise IT had a whole range of decision making to perform. Which bugs were most important for my enterprise? Where do the greatest risks lie and which patches should be tested and delivered first? Do you tackle the low hanging fruit or the higher risk and possibly more cumbersome patches first?

These decisions are made countless times every year as vendors release patches. Unfortunately for those in the trenches, too many valuable resources are consumed with just trying to normalize the vendor datasets. If all vendors across the board delivered data with standard metrics, then at least enterprise IT would be in a better position to handle the inevitable changes smoothly and with minimal disruption.

Two years ago I took some hard hits from my peers for calling the iPhone "a security nightmare". Two years later, I can't find a single person who doesn't agree that the iPhone is the number one mobile target of security researchers. Fast forward to today -- is the iPhone still a security nightmare or have those problems been relegated to annoyance status?

Last night at one of the BlackHat evening events, I went out of my way to personally thank Charlie Miller for his creative and diligent work finding new and ever more alarming bugs in the iPhone. Charlie needs very few introductions these days due to the notoriety driven by his iPhone security hole discoveries and his history at the Pwn2Own contest. But Charlie is not alone when it comes to iPhone security research. Apple security updates for the iPhone OS now recognize a rapidly expanding list of bug reporters.

The iPhone is now on its' third full OS version and Apple has added many new enterprise and security related features. In spite of Apple's attempts to keep the iPhone a closed system, more known about its inner workings than any other mobile platform (except possibly the open source development of Android). iPhone popularity isn't limited to consumers, it is a favorite with security researchers.

One security maxim says that risk increases in proportion to the target landscape. If this is true then, the iPhone represents a significant security risks simply because of its market penetration. The same thing can be leveled at Microsoft Windows. It's easy to say that because the iPhone is getting the high level of security attention it represents the greater threat than other popular mobile platforms such as Windows Mobile or Blackberry. This kind of thinking is short sighted.

The reason why the iPhone continues to represent a significant threat to the enterprise is not because of its operating system design or the dozens of security bugs it contains. The iPhone risk continues to escalate because of the way Apple prioritizes and operationalizes security. Apple continues to prioritize usability and features ahead of security. Apple just recently added on board data encryption to the new 3GS model. Only days later after its release iPhone encryption was shown to be easily subverted. And enterprise security teams operating with limited resources still don't have a centralized management console for pushing out updates, and the updates themselves are released on Apple's timing with no advance clues as to timing or content. Enterprises that allow iPhones on their networks must live without vendor-supplied intelligence routinely provided by other vendors.

Today'the iPhone might not qualify as a security nightmare but it's still a pain in the side both IT security and operational teams. We would like very much to support and deliver the best tools to our users, and that includes the iPhone. The problem is that Apple's enterprise management tools just don't measure up to what is available from Microsoft and Blackberry. And even when we get in a bind with security issues from other vendors, at least they communicate and lend us a hand with detailed information and risk mitigation steps. It's time for Apple to get serious about security if they want to grow in the enterprise.

An old boss told me once, "You play in the big leagues, and you will eventually fall like a big leaguer." The fact is many people have their computer security compromised daily, and this is also true for many corporations. But how are we supposed to react when the "big leaguers" in our industry fall victim too?

Over the last week some of the security industry's heavy hitters were victims of widely publicized security breaches. Dan Kaminksy, Matasano Security and Kevin Mitnick all had their websites breached. Some events were little more than defacements; in Dan's case some of his personal information was publicized. We, the BlackHat attendees, are the ones entrusted by individuals, large corporations and government entities to protect networks against precisely these types of attacks. What do high profiles breaches like these mean for our reputations and for our industry?

The truth is that data breaches are so common that most of us aren't even alarmed anymore. Privacyrights.org tracks the millions of private records that are compromised each year. The Conficker worm was said to have compromised millions of computers. We have become so used to reading about these stories and shrugging our mental shoulders that some people say our industry has become laize faire. We work towards compliance; we fight for budget and reducing our risk metrics. But are we really living and breathing what we preach?

This is not to say that Kaminksy, Matasano or Mitnick aren't intelligent, creative thought leaders who honestly work hard each and every day. It does mean that even the best of us are vulnerable to the same threats as everyone else. It also means that every company, even the ones we work so diligently to protect, is susceptible to some sort of data breach. No one is beyond the law of statistics.

So what does it really mean when even the security gurus at Blackhat get breached? It means there is always room to improve, and it means that there is no such thing as complete security, no matter how much money you spend or how smart you are.

This sobering reality is a reminder to us all about the value of vigilance. It's also a reminder that every breach offers a lesson. Dan Kaminksy handled this very public data breach by congratulating his attackers and offering them two of his grandma's famous cookies.

Dan will definitely step us his security, will you?

The sudden hypersensitivity regarding a new Microsoft IE 0-day, traces its roots to this weeks Google's overhyped breach. On Tuesday, Google went public with an admission of its own compromise. This was no ordinary breach, but one of global proportions that claimed they and 20+ other companies were all victims of state sponsored cyber thiefdom. Everyone suddenly became aware of China's cyber terror potential.

Queue the Beethoven.

While most everyone assumed the public Adobe PDF flaw was the attack vector, we should have more correctly assumed not one but many attack vectors were at play. Come Friday, in an unexpected turn of events, Microsoft was taking the brunt of the blame in a newly announced IE vulnerability. Microsoft is getting a bum deal here and has much of it to blame on Google's overhype.

What if we replayed this week's events with a different set of goggles?

Suppose that Google had not raised its own compromise to the level of state sponsored cyber terror, while threatening its own retaliation by ceasing censorship of search data. Furthermore, Google didn't need to announce that some 20+ other companies were also victims. At this point, the other companies have very little reason not to come forward. They can safely join the ranks of the others affected and cleanly play the victim role of being attacked by a state sponsored cyber terror. Yet, very few have come forward despite all having been notified.

It would seem to me this was an obvious calculated overhype. The event provided the perfect set of excuses for Google to combat Chinese censorship while giving them an alternative reason to pull out of China. It's a win-win for Google - fight Chinese censorship, support Chinese human rights activists and cleanly exit a failing business venture.

With any good attention diversionary plan an unexpected victim arises.

Take the facts of the IE vulnerability independent of all external events. What we have today is a bug in all versions of Internet Explorer, but so far only weaponized for IE version 6 on Windows XP. As usual, DEP and ASLR are providing significant mitigation with IE8, Vista and Windows7. The net of these findings is that today's attacks are only successful on Windows XP with IE6. Jonathan Ness of the MSRC engineering team spelled out these important facts in a blog post Friday evening. In an ordinary humdrum month, the vulnerability would be worrisome, but not epic.

Zero day attacks happen every day. Even the most secure organizations get compromised. Everyone is a target, everyone will be a victim. Take a few deep breaths.

This past Saturday my son and I were having a "boys day". My wife was out having
fun all day and the boys were left to be boys. Dinnertime rolled around and we were
having too much fun playing LEGO India Jones to even consider making food. So I
treated him to a stereotypical boys dinner - video games and pizza. This was when
the fun turned into fear.

Moments after ordering pizza online from our favorite local pizzeria, the phone
rang.

Caller: "This is Joe from the local pizza place, calling to confirm your order".
The order and delivery location was confirmed.

Caller: "And how do want to pay for this?"

Me: "Um, well I just entered all my credit card info into your website like I usually
do".

Caller: "oh". A moment of pause. "Oh I see your credit card info now in the email."

Me, with a definite tone of anger: "My credit card was sent to you in email?!"

Caller: "um, I'll get that pizza delivered ASAP."
Click

The pizza delivery guy arrived. As it turns out it was the owner delivering the pizza.
He explained to me that he had recently bought the local franchise and had no idea
that the online orders were emailed to him along with all the customer information.
As an attempt at a good-hearted gesture, he gave me some free breadsticks along
with the printed email containing my entire credit card and address information.

I was now bent out of shape. Five minutes of Google searches turned up no methods
for a consumer to report this obvious PCI non-compliance. Asking friends on
Twitter and Facebook ended up with equally non-specific information. Some friends
offered up email addresses of people at Visa, others stated quite assuredly that a
consumer has no means to turn in violators. Realize of course that nCircle (my
employer) is a certified PCI scan vendor and my online friends are all very much
entrenched in information security. That is to say that you would think someone
like me could ask around and quickly find a way to report this merchant to the PCI
council for review.

The next step was to call my bank and issue a fraud alert. The bank customer
support person took my information, listened well and followed her procedural
steps exactly as instructed. All my information was confirmed, past orders were confirmed
and a new card was issued. I requested directions on how to report this merchant
for obvious non-compliance. Furthermore, I felt the merchant was in violation of a
number of laws by printing out my entire credit card number. The bank customer
support person offered the number of the Better Business Bureau.

Think about this. The PCI standards council has worked hard to ensure compliance
of all their merchants. An entire industry has sprung up around the PCI Data
Security Standards. Yet, the standard provideds no means for consumers to flag
merchants for non-compliance. Even the issuing bank seems to have no means to do
so.

Aside from naming names here in my public soap box, how are consumers suppose
to help due their part to ensure security and privacy of the credit card industry?

Every month, like clockwork, Microsoft releases security bulletins and every month people ask me if it's small or a big release. While the exact details of the patches are generally treated as news, the expected workload each month really shouldn't be a guessing game because Microsoft's patch releases are predictably cyclical.

I don't have any special inside knowledge, and I can't speak for Microsoft, but when I look at the publicly available information it's pretty clear to me how the cycle works.

60 Day QA Cycle

A 30 to 60 day QA cycle on a Microsoft patch is typical, and it's actually pretty easy to tell how many days a patch was probably in QA. If you are curious, download the patch manually and take a look at the date the file was digitally signed. This isn't an absolutely accurate date because a patch could drop in and out of the QA process several times, but it's a reasonable approximation.

Using this method I calculated the average dates for the Dec 2009 patches at 54 days, November 2009 patches at 36 days, and October 2009 at 45 days. It's not too hard to jump from those numbers to an average 60 day cycle.

Roller Coaster Months

The security teams in charge of acquiring, testing and installing patches can feel like they are on a roller coaster with Microsoft patches. In just the first three months of 2010 we've already had wild swings in the number of CVEs and bulletins. January saw 2 bulletins, followed by huge February with 13, and then this week we saw just 2 again.

If we plot the number of bulletins along side the number of CVEs patched each month, there is a distinct pattern. Most Microsoft patches are obviously on a two month push. The first graph plots Microsoft release trends from January 2006 to March 2010. The second graph shows just the last two years, 2008 and 2009, where the wild up and down pattern is more obvious.

Lessons Learned

We'll never be able to predict the exact patch details for any month, but security teams can use these data points to help with planning. We all know that resources are short, but the risks and threats continue to grow, so better utilization of resources has never been more important.

There are no shortage of vendor patches. Luckily, Microsoft not only releases their patches on a predefined schedule, they are also fairly predictable in size. Since March was a pretty light Patch Tuesday, we can expect that the bulletin count for April will jump back up into double digits.

If you are the resource manager for a team of people in charge of your company's patching methodology, just knowing that can help you plan. This month is your chance to catch up from January. Thinking ahead to April, it makes sense to anticipate a large release from Microsoft so plan to have all hands on deck.

Not really much of a mystery after all is it?