Sync

Carrier IQ Brouhaha

Mon, 19 Dec 2011 15:00:56 -0800

Lately there's much a lot of hand wringing in the press about Carrier IQ, a software monitoring and tool for wireless carriers. Carrier IQ is reportedly facing a federal probe over allegations that its monitoring software collected smartphone data and transmitted it to carriers without consumers' knowledge.

Carrier IQ has been playing defense. They released a detailed report that shows exactly which types of data its software collects, and pointed out that all data points are selected by carriers, and that any data collected data is shared only with the relevant carrier.
In spite of this, Apple and Sprint just announced that they have disabled Carrier IQ software on their handsets.

The bad news in this situation is that we still don't know for sure what kind of data Carrier IQ is capable of collecting or what carriers are doing with it. And just because some carriers have recently disabled it doesn't mean they won't turn it back on at some point in the future. Carrier IQ may not be the only option available for carriers that want to monitor handsets either, they may just be this week’s privacy scapegoat.

The good news, if you can call it that, is that if IQ can gather detailed, private data from users, then we're all in the same boat because, until very recently, it's been on nearly every device.

If you have a handset that is likely to include Carrier IQ software remember that panic at this point is pointless and probably premature.

Everyone in the Carrier IQ value chain is going to have to answer some very detailed questions from the FTC and/or the FCC in the near future and until then all consumers can do is wait.

Meanwhile, though, Carrier IQ's website claims to have their software installed on over 141 million handsets (and still counting).

What early PureCloud scan data is saying about the small business

Tue, 22 Nov 2011 13:54:48 -0800

The results of the first wave of nCircle PureCloud scans are in and they aren't good news for small businesses. Only 23% of systems scanned between June 30, 2011 and November 7, 2011 had no vulnerabilities, and 30% of systems scanned had at least one high severity vulnerability.

The holiday shopping season is a lousy time of the year to have a data breach. A recent National Cyber Security Alliance study says that small business data breach costs $188,000 and that 60% of businesses close within six months of a cyber attack. Nobody sends a letter to Santa asking for a data breach.

I'm hoping every small to medium sized business will take advantage of free PureCloud scans to improve their security. We made PureCloud easy to use, so you don't need to be a security expert to protect your business.

I don't know about you, but having the ability to scan your internal networks for security problems without having to hire an IT guy seems like a pretty good idea...and that's coming from an IT guy.

Rethinking Black Hat: Building, Rather Than Breaking, Security

Wed, 17 Aug 2011 15:08:22 -0800

No doubt breaking things is fun. I remember back when I was 10 years old when I took apart a squirrel cage fan, flipped some wires and so forth, and then attempted to plug it back in. Good thing my mom stopped me seconds before I was about to get a literal jolt of reality. These days, I still keep that same inquisitive and maniacal mentality. Yes, I was the guy wearing an assortment of makezine t-shirts at Black Hat, but I also often wore collared shirts and a belt. Because I keep a foot in both of these worlds, I'd like to propose an adjustment to the security community.

The enjoyment of scrutinizing and tinkering is what draws me and thousands of others to Black Hat each year. Let's be honest with ourselves: we find joy in watching Charlie Miller theoretically explode a laptop battery or Dino Dai Zovi ripping apart Apple iOS at every level. We have to thank everyone presenting for interesting insights in how they found holes, broke things or just otherwise discovered flaws in just about every computing technology known. This is why Black Hat always keeps me interested.

Last Thursday, though, I started thinking about our collective mind set a little differently.

The information security industry is characterized by 80% destruction and 20% construction. This is not to say that 80% of information security is about breaking something, but it is clear that the world views of infosec people come from the fact that they are people that break things.

Don't believe me? Take a look at the major media coverage from Black Hat and Def Con. We are presented as a group of people hell bent on breaking things, finding flaws and otherwise focused on to highlighting failures. While the attention of being perceived as a harbinger of doom can be enjoyable, we cannot live like this forever, and it's time for a change.

Think back to the talks you attended and ask yourself how many of them promoted constructive ideas? I'm glad to know that just about every mobile device platform is broken at some level. It's no big surprise that there are problems with crypto, networking, every OS and even the smart grid.

However, at the end of Black Hat, I had an opportunity to reflect with some colleagues about the week.

While Katie Moussouris' announcement about a $250,000 BlueHat prize seemed to have fallen flat on the audience, this was an honest attempt to stir innovation. Microsoft put their neck on the line in hopes of motivating a large, intelligent community to come up with new, defensive runtime
mitigation technologies.

Then on Thursday, Moxie Marlinspike proposed a fix to problems with the central control of certificate authorities. Not only did he propose a theory, he also produced a free implementation. We have to applaud Moxie for understanding the problem and presenting a novel fix.

Having been a part of Black Hat for years, I understand the purpose and the description of the community and the conference named after the moniker. But I also believe that our community and the people reading about us in the press would find a lot of value in thinking constructively about solutions.

I am thankful to researchers who find bugs because, in the end, it makes us all a little bit more secure. But let's push ourselves to take that extra step forward and think about how we can also fix what's broke. Wouldn't it be interesting if future Black Hat briefings also had to include one or more ideas on how to fix the root of the problems being shown?

This post was originally published by ThreatPost at http://threatpost.com/en_us/blogs/rethinking-black-hat-building-rather-breaking-security-081111

Screw Epslion, Fear the Angry Bird

Fri, 22 Apr 2011 11:02:03 -0800

No doubt you read about the huge email security breach Epsilon announced
earlier this month. You may have received letters from companies that use
Epsilon services about the possible loss of your email information.

A lot of people are justifiably concerned that spear phishing and other
nefarious attacks will be launched against millions of people as a result of
that breach.

As bad as that Epsilon breach was, I think most people have far more serious
privacy concerns on their smartphones. In fact, many consumers are actually
paying to have their privacy assaulted.

The Wall Street Journal recently tested 101 popular mobile applications on
iPhone and Droid devices to understand what kind of data each app collects
and shares. The study found a huge number of applications that gather and
share information that looks unrelated to application functionality.

I like Angry Birds. It's simple and addicting. I had no idea that it was
accessing my iPad's Address Book and, according to the WSJ, sharing my
contacts with third parties.

According to Rovio, Angry Birds is the top selling iPhone application in 67
countries. In August 2010, VentureBeat reported that Rovio sold 6.5 million
copies of Angry Birds. Assuming the phenomenal growth trajectories of iOS
devices and Angry Birds sales, Rovio has built a huge cache of contact data
that's growing exponentially.

What does this mean to you? Well, for one thing Rovio is gathering your
location data and all the information in your address book and saving it.
They might be selling or trading it with third parties. Sorting through all
the other things that can be done with this information without your
permission is mind boggling.

Imagine getting an email from your friend Matt:
---

Hey Paul-

I'm sending you this email from my iPad while I'm here at Starbucks on
Washington St. They have a great new promotion that lets me send a friend a
free cup of coffee while I'm here using their free Wi-Fi. All you have to
do is click on the link below to print out a personalized coupon.

<<"nefarious spear phishing URL here">>

---

Wouldn't that email be convincing? Free coffee from your friend just
because he was using the free WiFi at Starbucks down the street sounds
great, right?

Of course you don't know that as soon as you click on the link you are taken
to a malicious website that tries to use every malware trick in the book.

There's more bad news. Angry Birds isn't the only application that reaches
into all corners of your private information without letting you know.

For your own safety, take a few minutes and read WSJ study.
This is particularly important if you are using an iOS device in an
enterprise environment where the contacts on your phone could be considered
confidential company property.

Smart consumers are only part of the solution to this problem. Apple needs
to step up their consumer privacy policies as well.

Apple wants to have it both ways. On one hand, Apple claims that the iTunes
closed system and review process, along with the ability to remove apps from
phone remotely, keeps consumers safe. One the other hand, they aren't taking responsibility for what happens to consumer data after they
download an app.

At the minimum, Apple needs to require app publishers to tell consumers in
plain language what kind of data every application accesses and what happens
to that data. This information should be available to consumers before they
purchase an application.

If Apple continues to let app publishers do whatever they want with consumer data they could find themselves on the receiving end of some very difficult questions about privacy.

Why Your Company Needs a Vulnerability Disclosure Policy

Tue, 19 Apr 2011 13:00:00 -0800

One of the side effects of the avalanche of new web applications available for everything from smartphones to tablets to laptops is that it's possible, maybe even likely, that anyone can find a serious software vulnerability. For companies that employ a range of highly technical software experts, this isn't even a small stretch for the imagination.

Today almost every company has a security policy. Very small companies are likely to have something fairly general; larger firms have long, rigorous policies reviewed by lawyers that employees have to sign before they can work for the firm. Everyone is aware of the need to describe acceptable and unacceptable uses of company computers and networks.

From my point of view, it's starting to look like it's time for many companies to consider adding another policy document to their "to-do" list -- vulnerability disclosure.

The catalyst for these new policies started back in July after a very public spat involving several vendors and an employee that found and disclosed a zero-day vulnerability without following the affected vendor's desires regarding disclosure. Unfortunately for all concerned, the entire drama was played out in the public eye and garnered a generous share of media attention and prompted a lot of discussions about what the "right thing to do" actually was.

Public embarrassment was probably not the catalyst for the procedures discussions, but after the dust settled and there was time for everyone to reflect on the 'shoulda, woulda, coulda' aspects of the whole affair, Microsoft and Google released statements regarding their corporate procedures on vulnerability disclosure.

Microsoft released their Coordinated Vulnerability Disclosure procedure in July as a template for the disclosure methodology that they hoped researchers would follow. The procedure was, in reality, just a more specific version of responsible disclosure best practices. Google created a blog post that discussed their procedures. The most noticeable difference in the two policies is the time a vendor is allowed to fix vulnerability before the researcher discloses it to the public. Google stated they would expect any vendor to fix serious security bugs within 60 days. Microsoft has not publicly stated a timeline.

The public arguments about responsible disclosure have been relatively quiet since then, aside from ZDI's announcement of their new six month deadline for vendors to fix bugs in August.

It shouldn't come as a surprise to anyone that Microsoft has just raised the bar on industry best practices again. Microsoft has the most mature information security practices in the industry and has just released new, more detailed information about their own coordinated vulnerability disclosure procedures. These new procedures discuss three different situations: Microsoft as the bug finder, Microsoft as the coordinator between all involved parties, and Microsoft as affected by the vulnerability discovered.

As an information security manager, one of the most important things to take away from Microsoft's update is to ask yourself if your company needs similar policy and procedures. How would your company react if an employee disclosed a critical zero-day vulnerability? More importantly, how do the leaders of your company expect the employees to conduct themselves if they find a serious security bug? We would all rather find ourselves in a proactive position where a company policy regarding how our employees are expected to conduct themselves when faced with a vulnerability disclosure decision already stands.

Information security is an ongoing process. It's important that we all continue to evolve and learn. Now is good time to take a cue from Microsoft on this topic and consider right now the importance of having an information security disclosure policy and procedure at your company. It's always better to be proactive than risk a public black eye.

Mobile Apps Return Us To 1984 Privacy Debate

Wed, 06 Apr 2011 07:23:10 -0800

In the last few days of having unfettered access to a new ipad2, I have learned something very important. Privacy is gone. Privacy is gone because the user has chosen to let it go and Apple makes it very compelling to give it up.

My experience with the ipad started like this:

* Please register the device giving Apple all your home info.
* Now please give Apple access to the GPS data just in case you happen to lose your ipad.

Since you've purchased the device, Apple already has some really good information about you: Name, Address, Phone Number, email, credit card and GPS location of where you are.

Whats next on tap? Now install some cool apps. What, wait! Your app wants my location data and wants to push me content? What exactly does that mean? I'm not clear on how you are gathering this data, how you are using it. Just what the heck is push notifications anyway?

You see, I'm just an end user wanting to use my new cool gadget. Of course I'm just going hit the darn button. I want the app to work, I want my iPad to work. I need instant satisfaction.

Think about it. Apple and all these applications have your location data. And think further, if an application wants to push you information, they need to know something about you. That something is probably at least your name, email and Apple ID. But do you know what else they know? Neither do I and honestly finding out isn't easy.

Most consumers wouldn't even think twice about these simple pop up questions they receive. Oh, sure go ahead and use my location data and send me push notifications. Most consumers have no clue what any of that means.

In light of the recent WSJ article regarding mobile app developers possibly facing criminal investigation for privacy violations, Veracode performed their own analysis of Pandora, a very popular mobile app.

What they found probably won't surprise you, but should concern you. Information like your ID, gender and location were confirmed to have been shared with the application vendor and probably their many advertising partners.

With more than 15 million iPads sold and another 50 million iPhones, that's a big chunk of the consumer market sharing data with Apple. That's a big chunk of users who have already given Apple rights to you and what you do.

If this is the face of now and the future, then our privacy is doomed. Apple I thought you were all about breaking the 1984 barrier, but instead you seem to have brought it back alive and well.

In all fairness, Apple isn't entirely to blame they are after all not the only mobile device platform available. However, Apple certainly is the leader and should be the one taking charge to lead us from these privacy violations that is now the new norm.

Pwning Just Keeps Getting More Fun

Fri, 29 Oct 2010 14:29:02 -0800

Exploit tools are the new point and shoot video games. If my grandma were alive, she could probably figure out how to install a Firefox plugin and pwn all her nursing home friends on Facebook. Unfortunately, you can't say it's getting easier to protect yourself on the Internet, if anything, it's getting much harder.

Firesheep is a great example of how wide this divide has become. It's just the newest entry in a category we used to call "script kiddie" exploits. Firesheep is a new Firefox plug-in that lets a user gain access to other user accounts, see pages they shouldn't access and in many cases, post as the account owner. Attacks like Firesheep are so easy to use that any kid can execute them. You don't even need to know how to run a script or open a shell prompt. We should probably rename the whole category "one-click kiddies".

When was the last time you read an article or saw a tweet boasting about a single click that can protect your online privacy? Never, right? Maybe the one click fix is too much to ask. How about the 10-click protection system? The truth is that protecting your privacy and security just isn't as interesting or as easy or as fun as spying.

I think it's human nature to find joy in something a little naughty as opposed to more difficult tasks that don't offer immediate rewards. Choosing the apple instead of the cookie takes thought, self-awareness and a long-term view of the benefits. Eating the cookie is easy, one quick second of compulsion and you get immediate gratification.

The same principal is at work with information security. Wouldn't you rather spy on your neighbor's Gmail instead of telling him how to fix his wireless? Of course you would, at least for a few minutes. And you might even find so much joy in the voyeurism that you tell your buddies all about it the next time you all sit down for a beer. On the other hand, I helped my mother-in-law install about a gigabyte of Mac updates this weekend, but that's so boring I'll never be able to brag about it.

The reality is that it's so much easier now for anyone to breach your privacy and getting increasingly difficult, time consuming and boring to protect it. Unfortunately, if you don't pay attention to your online privacy the neighbor kids will post all your private files to 4chan...and you'll be left wondering how it all happened.

The Cadence of Microsoft Security Patches

Thu, 11 Mar 2010 12:33:25 -0800

Every month, like clockwork, Microsoft releases security bulletins and every month people ask me if it's small or a big release. While the exact details of the patches are generally treated as news, the expected workload each month really shouldn't be a guessing game because Microsoft's patch releases are predictably cyclical.

I don't have any special inside knowledge, and I can't speak for Microsoft, but when I look at the publicly available information it's pretty clear to me how the cycle works.

60 Day QA Cycle

A 30 to 60 day QA cycle on a Microsoft patch is typical, and it's actually pretty easy to tell how many days a patch was probably in QA. If you are curious, download the patch manually and take a look at the date the file was digitally signed. This isn't an absolutely accurate date because a patch could drop in and out of the QA process several times, but it's a reasonable approximation.

Using this method I calculated the average dates for the Dec 2009 patches at 54 days, November 2009 patches at 36 days, and October 2009 at 45 days. It's not too hard to jump from those numbers to an average 60 day cycle.

Roller Coaster Months

The security teams in charge of acquiring, testing and installing patches can feel like they are on a roller coaster with Microsoft patches. In just the first three months of 2010 we've already had wild swings in the number of CVEs and bulletins. January saw 2 bulletins, followed by huge February with 13, and then this week we saw just 2 again.

If we plot the number of bulletins along side the number of CVEs patched each month, there is a distinct pattern. Most Microsoft patches are obviously on a two month push. The first graph plots Microsoft release trends from January 2006 to March 2010. The second graph shows just the last two years, 2008 and 2009, where the wild up and down pattern is more obvious.

Lessons Learned

We'll never be able to predict the exact patch details for any month, but security teams can use these data points to help with planning. We all know that resources are short, but the risks and threats continue to grow, so better utilization of resources has never been more important.

There are no shortage of vendor patches. Luckily, Microsoft not only releases their patches on a predefined schedule, they are also fairly predictable in size. Since March was a pretty light Patch Tuesday, we can expect that the bulletin count for April will jump back up into double digits.

If you are the resource manager for a team of people in charge of your company's patching methodology, just knowing that can help you plan. This month is your chance to catch up from January. Thinking ahead to April, it makes sense to anticipate a large release from Microsoft so plan to have all hands on deck.

Not really much of a mystery after all is it?

RSA Conference Twitter Badge Mod

Thu, 25 Feb 2010 08:26:58 -0800

Again this year, the folks at the nCircle booth will be providing customized RSA badge mods with your twitter handle.

We've made things really simple to request your own:

Follow @ncircletweets
Send us a DM that you'd like one for yourself.
Come by the booth (#1023) at RSA for pickup.

nCircle Announces Patch Priority Index

Tue, 23 Feb 2010 09:09:02 -0800

Each time a vendor releases patches; I always answer the same questions about prioritization. Which new patch is the most important? How is enterprise IT going to be tackling this new work?

At nCircle, we know from customers and other publicly available sources that most companies need at least 60 days to complete a patch deployment cycle. Every day a new deluge of patches are released. Every group of new patches kicks off a new cycle of patch management steps. Each patch must be evaluated, prioritized and scheduled. Information security managers are continually juggling decisions regarding risk, prioritization and resource allocation and the variables change every time a vendor releases a new set of patches

Today, nCircle announced the Patch Priority Index, a monthly ranking of the top 10 highest risk vulnerabilities from key vendors such as Microsoft and Adobe that adjusts to reflect how vulnerability's risk changes over time. The Patch Priority Index (PPI) helps prioritize risk reduction decisions by evaluating new patches within the context of the bigger security picture and acknowledges that all patches may not be deployed before the next group of patches are released.

The idea for this index grew out of community discussions with customers, partners and vendors. Our Patch Priority Index is a free and publicly available service that nCircle is providing as a service to the information security community.

We hope that the service will provide a repeatable, consistent and complimentary metric that IT security teams can use to effectively prioritize the most critical vulnerabilities.

Patch Priority Index rankings are based on key elements of nCircle's Risk Score and includes a critical time component that is unique among scoring systems. This time component prioritizes new patches within the context of all patches previously released by a vendor within the preceding twelve months.

Patch Priority Index debuts for Microsoft vulnerabilities in March and other key
vendors will follow.

The most recent Patch Priority Index may be found here

For information on the nCircle risk score algorithm, please check out our
whitepaper

How does a consumer report PCI non-compliance?

Mon, 22 Feb 2010 10:25:28 -0800

This past Saturday my son and I were having a "boys day". My wife was out having
fun all day and the boys were left to be boys. Dinnertime rolled around and we were
having too much fun playing LEGO India Jones to even consider making food. So I
treated him to a stereotypical boys dinner - video games and pizza. This was when
the fun turned into fear.

Moments after ordering pizza online from our favorite local pizzeria, the phone
rang.

Caller: "This is Joe from the local pizza place, calling to confirm your order".
The order and delivery location was confirmed.

Caller: "And how do want to pay for this?"

Me: "Um, well I just entered all my credit card info into your website like I usually
do".

Caller: "oh". A moment of pause. "Oh I see your credit card info now in the email."

Me, with a definite tone of anger: "My credit card was sent to you in email?!"

Caller: "um, I'll get that pizza delivered ASAP."
Click

The pizza delivery guy arrived. As it turns out it was the owner delivering the pizza.
He explained to me that he had recently bought the local franchise and had no idea
that the online orders were emailed to him along with all the customer information.
As an attempt at a good-hearted gesture, he gave me some free breadsticks along
with the printed email containing my entire credit card and address information.

I was now bent out of shape. Five minutes of Google searches turned up no methods
for a consumer to report this obvious PCI non-compliance. Asking friends on
Twitter and Facebook ended up with equally non-specific information. Some friends
offered up email addresses of people at Visa, others stated quite assuredly that a
consumer has no means to turn in violators. Realize of course that nCircle (my
employer) is a certified PCI scan vendor and my online friends are all very much
entrenched in information security. That is to say that you would think someone
like me could ask around and quickly find a way to report this merchant to the PCI
council for review.

The next step was to call my bank and issue a fraud alert. The bank customer
support person took my information, listened well and followed her procedural
steps exactly as instructed. All my information was confirmed, past orders were confirmed
and a new card was issued. I requested directions on how to report this merchant
for obvious non-compliance. Furthermore, I felt the merchant was in violation of a
number of laws by printing out my entire credit card number. The bank customer
support person offered the number of the Better Business Bureau.

Think about this. The PCI standards council has worked hard to ensure compliance
of all their merchants. An entire industry has sprung up around the PCI Data
Security Standards. Yet, the standard provideds no means for consumers to flag
merchants for non-compliance. Even the issuing bank seems to have no means to do
so.

Aside from naming names here in my public soap box, how are consumers suppose
to help due their part to ensure security and privacy of the credit card industry?

BofA Website Outage - A Giant PR Mistake

Fri, 29 Jan 2010 14:17:02 -0800

For a lot of Americans, today is both a payday and the last business day to pay those bills online due this month. So it goes without saying that many people have noticed that Bank of America's website has been unavailable for most of the day.

A quick search on twitter shows many Americans complaining about the site being down. Yet, so far only a few news organizations are covering the outage. The only official word from the company has come from its twitter account ( http://twitter.com/BofA_help ). Apparently, they feel that the outage is only affecting a few people by issuing a statement, " We are aware some customers are experiencing access issues. Our tech team is working to resolve as soon as possible." Those news organizations covering the outage all report no word back from the company.

Meanwhile, speculation is on the rise that the company is in the midst of a cyber attack. This is turning into a giant PR mistake by Bank Of America. For a company that took billions of federal assistance, this would also seem like something our new Cyber Czar should be looking into. We must not forget that at the very least, one tenet of information security is availability.

Is Google to blame for the IE 0-Day Hype?

Sat, 16 Jan 2010 18:05:03 -0800

The sudden hypersensitivity regarding a new Microsoft IE 0-day, traces its roots to this weeks Google's overhyped breach. On Tuesday, Google went public with an admission of its own compromise. This was no ordinary breach, but one of global proportions that claimed they and 20+ other companies were all victims of state sponsored cyber thiefdom. Everyone suddenly became aware of China's cyber terror potential.

Queue the Beethoven.

While most everyone assumed the public Adobe PDF flaw was the attack vector, we should have more correctly assumed not one but many attack vectors were at play. Come Friday, in an unexpected turn of events, Microsoft was taking the brunt of the blame in a newly announced IE vulnerability. Microsoft is getting a bum deal here and has much of it to blame on Google's overhype.

What if we replayed this week's events with a different set of goggles?

Suppose that Google had not raised its own compromise to the level of state sponsored cyber terror, while threatening its own retaliation by ceasing censorship of search data. Furthermore, Google didn't need to announce that some 20+ other companies were also victims. At this point, the other companies have very little reason not to come forward. They can safely join the ranks of the others affected and cleanly play the victim role of being attacked by a state sponsored cyber terror. Yet, very few have come forward despite all having been notified.

It would seem to me this was an obvious calculated overhype. The event provided the perfect set of excuses for Google to combat Chinese censorship while giving them an alternative reason to pull out of China. It's a win-win for Google - fight Chinese censorship, support Chinese human rights activists and cleanly exit a failing business venture.

With any good attention diversionary plan an unexpected victim arises.

Take the facts of the IE vulnerability independent of all external events. What we have today is a bug in all versions of Internet Explorer, but so far only weaponized for IE version 6 on Windows XP. As usual, DEP and ASLR are providing significant mitigation with IE8, Vista and Windows7. The net of these findings is that today's attacks are only successful on Windows XP with IE6. Jonathan Ness of the MSRC engineering team spelled out these important facts in a blog post Friday evening. In an ordinary humdrum month, the vulnerability would be worrisome, but not epic.

Zero day attacks happen every day. Even the most secure organizations get compromised. Everyone is a target, everyone will be a victim. Take a few deep breaths.

Twitter is down, twitter is down! I don't know what to do.

Thu, 06 Aug 2009 08:53:41 -0800

On this momentous occasion of a twitter outage apparently caused by a big DDoS attack, let us celebrate by naming 5 things we used to do before twitter.

1. Work more
2. Email the person directly
3. Pick up the phone
4. Make a decision by yourself
5. Watch the evening news and not find it old news

How to react when big leaguers get hacked

Mon, 03 Aug 2009 13:25:40 -0800

An old boss told me once, "You play in the big leagues, and you will eventually fall like a big leaguer." The fact is many people have their computer security compromised daily, and this is also true for many corporations. But how are we supposed to react when the "big leaguers" in our industry fall victim too?

Over the last week some of the security industry's heavy hitters were victims of widely publicized security breaches. Dan Kaminksy, Matasano Security and Kevin Mitnick all had their websites breached. Some events were little more than defacements; in Dan's case some of his personal information was publicized. We, the BlackHat attendees, are the ones entrusted by individuals, large corporations and government entities to protect networks against precisely these types of attacks. What do high profiles breaches like these mean for our reputations and for our industry?

The truth is that data breaches are so common that most of us aren't even alarmed anymore. Privacyrights.org tracks the millions of private records that are compromised each year. The Conficker worm was said to have compromised millions of computers. We have become so used to reading about these stories and shrugging our mental shoulders that some people say our industry has become laize faire. We work towards compliance; we fight for budget and reducing our risk metrics. But are we really living and breathing what we preach?

This is not to say that Kaminksy, Matasano or Mitnick aren't intelligent, creative thought leaders who honestly work hard each and every day. It does mean that even the best of us are vulnerable to the same threats as everyone else. It also means that every company, even the ones we work so diligently to protect, is susceptible to some sort of data breach. No one is beyond the law of statistics.

So what does it really mean when even the security gurus at Blackhat get breached? It means there is always room to improve, and it means that there is no such thing as complete security, no matter how much money you spend or how smart you are.

This sobering reality is a reminder to us all about the value of vigilance. It's also a reminder that every breach offers a lesson. Dan Kaminksy handled this very public data breach by congratulating his attackers and offering them two of his grandma's famous cookies.

Dan will definitely step us his security, will you?