Sync

RSA Conference Twitter Badge Mod

Thu, 25 Feb 2010 08:26:58 -0800

Again this year, the folks at the nCircle booth will be providing customized RSA badge mods with your twitter handle.

We've made things really simple to request your own:

Follow @ncircletweets
Send us a DM that you'd like one for yourself.
Come by the booth (#1023) at RSA for pickup.

nCircle Announces Patch Priority Index

Tue, 23 Feb 2010 09:09:02 -0800

Each time a vendor releases patches; I always answer the same questions about prioritization. Which new patch is the most important? How is enterprise IT going to be tackling this new work?

At nCircle, we know from customers and other publicly available sources that most companies need at least 60 days to complete a patch deployment cycle. Every day a new deluge of patches are released. Every group of new patches kicks off a new cycle of patch management steps. Each patch must be evaluated, prioritized and scheduled. Information security managers are continually juggling decisions regarding risk, prioritization and resource allocation and the variables change every time a vendor releases a new set of patches

Today, nCircle announced the Patch Priority Index, a monthly ranking of the top 10 highest risk vulnerabilities from key vendors such as Microsoft and Adobe that adjusts to reflect how vulnerability's risk changes over time. The Patch Priority Index (PPI) helps prioritize risk reduction decisions by evaluating new patches within the context of the bigger security picture and acknowledges that all patches may not be deployed before the next group of patches are released.

The idea for this index grew out of community discussions with customers, partners and vendors. Our Patch Priority Index is a free and publicly available service that nCircle is providing as a service to the information security community.

We hope that the service will provide a repeatable, consistent and complimentary metric that IT security teams can use to effectively prioritize the most critical vulnerabilities.

Patch Priority Index rankings are based on key elements of nCircle's Risk Score and includes a critical time component that is unique among scoring systems. This time component prioritizes new patches within the context of all patches previously released by a vendor within the preceding twelve months.

Patch Priority Index debuts for Microsoft vulnerabilities in March and other key
vendors will follow.

The most recent Patch Priority Index may be found here

For information on the nCircle risk score algorithm, please check out our
whitepaper

How does a consumer report PCI non-compliance?

Mon, 22 Feb 2010 10:25:28 -0800

This past Saturday my son and I were having a "boys day". My wife was out having
fun all day and the boys were left to be boys. Dinnertime rolled around and we were
having too much fun playing LEGO India Jones to even consider making food. So I
treated him to a stereotypical boys dinner - video games and pizza. This was when
the fun turned into fear.

Moments after ordering pizza online from our favorite local pizzeria, the phone
rang.

Caller: "This is Joe from the local pizza place, calling to confirm your order".
The order and delivery location was confirmed.

Caller: "And how do want to pay for this?"

Me: "Um, well I just entered all my credit card info into your website like I usually
do".

Caller: "oh". A moment of pause. "Oh I see your credit card info now in the email."

Me, with a definite tone of anger: "My credit card was sent to you in email?!"

Caller: "um, I'll get that pizza delivered ASAP."
Click

The pizza delivery guy arrived. As it turns out it was the owner delivering the pizza.
He explained to me that he had recently bought the local franchise and had no idea
that the online orders were emailed to him along with all the customer information.
As an attempt at a good-hearted gesture, he gave me some free breadsticks along
with the printed email containing my entire credit card and address information.

I was now bent out of shape. Five minutes of Google searches turned up no methods
for a consumer to report this obvious PCI non-compliance. Asking friends on
Twitter and Facebook ended up with equally non-specific information. Some friends
offered up email addresses of people at Visa, others stated quite assuredly that a
consumer has no means to turn in violators. Realize of course that nCircle (my
employer) is a certified PCI scan vendor and my online friends are all very much
entrenched in information security. That is to say that you would think someone
like me could ask around and quickly find a way to report this merchant to the PCI
council for review.

The next step was to call my bank and issue a fraud alert. The bank customer
support person took my information, listened well and followed her procedural
steps exactly as instructed. All my information was confirmed, past orders were confirmed
and a new card was issued. I requested directions on how to report this merchant
for obvious non-compliance. Furthermore, I felt the merchant was in violation of a
number of laws by printing out my entire credit card number. The bank customer
support person offered the number of the Better Business Bureau.

Think about this. The PCI standards council has worked hard to ensure compliance
of all their merchants. An entire industry has sprung up around the PCI Data
Security Standards. Yet, the standard provideds no means for consumers to flag
merchants for non-compliance. Even the issuing bank seems to have no means to do
so.

Aside from naming names here in my public soap box, how are consumers suppose
to help due their part to ensure security and privacy of the credit card industry?

BofA Website Outage - A Giant PR Mistake

Fri, 29 Jan 2010 14:17:02 -0800

For a lot of Americans, today is both a payday and the last business day to pay those bills online due this month. So it goes without saying that many people have noticed that Bank of America's website has been unavailable for most of the day.

A quick search on twitter shows many Americans complaining about the site being down. Yet, so far only a few news organizations are covering the outage. The only official word from the company has come from its twitter account ( http://twitter.com/BofA_help ). Apparently, they feel that the outage is only affecting a few people by issuing a statement, " We are aware some customers are experiencing access issues. Our tech team is working to resolve as soon as possible." Those news organizations covering the outage all report no word back from the company.

Meanwhile, speculation is on the rise that the company is in the midst of a cyber attack. This is turning into a giant PR mistake by Bank Of America. For a company that took billions of federal assistance, this would also seem like something our new Cyber Czar should be looking into. We must not forget that at the very least, one tenet of information security is availability.

Is Google to blame for the IE 0-Day Hype?

Sat, 16 Jan 2010 18:05:03 -0800

The sudden hypersensitivity regarding a new Microsoft IE 0-day, traces its roots to this weeks Google's overhyped breach. On Tuesday, Google went public with an admission of its own compromise. This was no ordinary breach, but one of global proportions that claimed they and 20+ other companies were all victims of state sponsored cyber thiefdom. Everyone suddenly became aware of China's cyber terror potential.

Queue the Beethoven.

While most everyone assumed the public Adobe PDF flaw was the attack vector, we should have more correctly assumed not one but many attack vectors were at play. Come Friday, in an unexpected turn of events, Microsoft was taking the brunt of the blame in a newly announced IE vulnerability. Microsoft is getting a bum deal here and has much of it to blame on Google's overhype.

What if we replayed this week's events with a different set of goggles?

Suppose that Google had not raised its own compromise to the level of state sponsored cyber terror, while threatening its own retaliation by ceasing censorship of search data. Furthermore, Google didn't need to announce that some 20+ other companies were also victims. At this point, the other companies have very little reason not to come forward. They can safely join the ranks of the others affected and cleanly play the victim role of being attacked by a state sponsored cyber terror. Yet, very few have come forward despite all having been notified.

It would seem to me this was an obvious calculated overhype. The event provided the perfect set of excuses for Google to combat Chinese censorship while giving them an alternative reason to pull out of China. It's a win-win for Google - fight Chinese censorship, support Chinese human rights activists and cleanly exit a failing business venture.

With any good attention diversionary plan an unexpected victim arises.

Take the facts of the IE vulnerability independent of all external events. What we have today is a bug in all versions of Internet Explorer, but so far only weaponized for IE version 6 on Windows XP. As usual, DEP and ASLR are providing significant mitigation with IE8, Vista and Windows7. The net of these findings is that today's attacks are only successful on Windows XP with IE6. Jonathan Ness of the MSRC engineering team spelled out these important facts in a blog post Friday evening. In an ordinary humdrum month, the vulnerability would be worrisome, but not epic.

Zero day attacks happen every day. Even the most secure organizations get compromised. Everyone is a target, everyone will be a victim. Take a few deep breaths.

Twitter is down, twitter is down! I don't know what to do.

Thu, 06 Aug 2009 08:53:41 -0800

On this momentous occasion of a twitter outage apparently caused by a big DDoS attack, let us celebrate by naming 5 things we used to do before twitter.

1. Work more
2. Email the person directly
3. Pick up the phone
4. Make a decision by yourself
5. Watch the evening news and not find it old news

How to react when big leaguers get hacked

Mon, 03 Aug 2009 13:25:40 -0800

An old boss told me once, "You play in the big leagues, and you will eventually fall like a big leaguer." The fact is many people have their computer security compromised daily, and this is also true for many corporations. But how are we supposed to react when the "big leaguers" in our industry fall victim too?

Over the last week some of the security industry's heavy hitters were victims of widely publicized security breaches. Dan Kaminksy, Matasano Security and Kevin Mitnick all had their websites breached. Some events were little more than defacements; in Dan's case some of his personal information was publicized. We, the BlackHat attendees, are the ones entrusted by individuals, large corporations and government entities to protect networks against precisely these types of attacks. What do high profiles breaches like these mean for our reputations and for our industry?

The truth is that data breaches are so common that most of us aren't even alarmed anymore. Privacyrights.org tracks the millions of private records that are compromised each year. The Conficker worm was said to have compromised millions of computers. We have become so used to reading about these stories and shrugging our mental shoulders that some people say our industry has become laize faire. We work towards compliance; we fight for budget and reducing our risk metrics. But are we really living and breathing what we preach?

This is not to say that Kaminksy, Matasano or Mitnick aren't intelligent, creative thought leaders who honestly work hard each and every day. It does mean that even the best of us are vulnerable to the same threats as everyone else. It also means that every company, even the ones we work so diligently to protect, is susceptible to some sort of data breach. No one is beyond the law of statistics.

So what does it really mean when even the security gurus at Blackhat get breached? It means there is always room to improve, and it means that there is no such thing as complete security, no matter how much money you spend or how smart you are.

This sobering reality is a reminder to us all about the value of vigilance. It's also a reminder that every breach offers a lesson. Dan Kaminksy handled this very public data breach by congratulating his attackers and offering them two of his grandma's famous cookies.

Dan will definitely step us his security, will you?

Apple Needs to Get Serious About iPhone Security

Mon, 03 Aug 2009 13:19:54 -0800

Two years ago I took some hard hits from my peers for calling the iPhone "a security nightmare". Two years later, I can't find a single person who doesn't agree that the iPhone is the number one mobile target of security researchers. Fast forward to today -- is the iPhone still a security nightmare or have those problems been relegated to annoyance status?

Last night at one of the BlackHat evening events, I went out of my way to personally thank Charlie Miller for his creative and diligent work finding new and ever more alarming bugs in the iPhone. Charlie needs very few introductions these days due to the notoriety driven by his iPhone security hole discoveries and his history at the Pwn2Own contest. But Charlie is not alone when it comes to iPhone security research. Apple security updates for the iPhone OS now recognize a rapidly expanding list of bug reporters.

The iPhone is now on its' third full OS version and Apple has added many new enterprise and security related features. In spite of Apple's attempts to keep the iPhone a closed system, more known about its inner workings than any other mobile platform (except possibly the open source development of Android). iPhone popularity isn't limited to consumers, it is a favorite with security researchers.

One security maxim says that risk increases in proportion to the target landscape. If this is true then, the iPhone represents a significant security risks simply because of its market penetration. The same thing can be leveled at Microsoft Windows. It's easy to say that because the iPhone is getting the high level of security attention it represents the greater threat than other popular mobile platforms such as Windows Mobile or Blackberry. This kind of thinking is short sighted.

The reason why the iPhone continues to represent a significant threat to the enterprise is not because of its operating system design or the dozens of security bugs it contains. The iPhone risk continues to escalate because of the way Apple prioritizes and operationalizes security. Apple continues to prioritize usability and features ahead of security. Apple just recently added on board data encryption to the new 3GS model. Only days later after its release iPhone encryption was shown to be easily subverted. And enterprise security teams operating with limited resources still don't have a centralized management console for pushing out updates, and the updates themselves are released on Apple's timing with no advance clues as to timing or content. Enterprises that allow iPhones on their networks must live without vendor-supplied intelligence routinely provided by other vendors.

Today'the iPhone might not qualify as a security nightmare but it's still a pain in the side both IT security and operational teams. We would like very much to support and deliver the best tools to our users, and that includes the iPhone. The problem is that Apple's enterprise management tools just don't measure up to what is available from Microsoft and Blackberry. And even when we get in a bind with security issues from other vendors, at least they communicate and lend us a hand with detailed information and risk mitigation steps. It's time for Apple to get serious about security if they want to grow in the enterprise.

Adobe Responds To Criticisms About Its SDLC

Wed, 20 May 2009 14:45:40 -0800

Adobe had a turbulent start this year and in response to cries from it's disgruntled users, Adobe security has announced several strategic moves. This blog post from Adobe describes the three much-needed things Adobe will be doing to improve security for their popular Reader and Acrobat products.

First, Adobe's existing secure product development standards will now also be used against their existing/legacy code base. Second, Adobe now promises quicker and more in-depth security incident response mechanisms. Finally, Adobe will be moving to a regular patch release cycle.

The three initiatives essentially mirror what we have come to know and appreciate about Microsoft's security processes. About a decade ago, hit by bad press and poor industry reputation, Microsoft embarked on a similar but grander vision. The result of that effort is that today Microsoft is the leader when it comes to managing the enterprise security development lifecycle.

These initiatives are a great start for Adobe to begin rehabilitating their image. These initiatives go a long way, but they are still missing a few important components.

First, Adobe needs to learn how to reign in the bug finders. Both critical security incidents with Adobe so far in 2009 have involved situations where proof-of-concept code was made public before Adobe could repair the bug. Letting bug exploits out into the wild set Adobe back on their heels and left IT security groups in a reactionary mode trying to cover their security assets without much help from Adobe

Second, enterprise IT shops could benefit greatly from centralized tools that allow for product policy changes. If Adobe published means and methods to disable product functionality using active directory group policies, then IT would be in a better position to respond and implement policy-setting changes.

Finally, JavaScript bugs riddled Adobe products in 2008 and in 2009. It would behoove them to consider disabling JavaScript by default.

The long string of critical bugs in Adobe products has disappointed me, among many others. The bugs, coupled with poor company communications and difficult to deploy mitigation steps have made the last six months ever more trying in our security team. Going forward there will be 2 key metrics of Adobe's successful implementation of their new security program. First will the obvious - fewer security holes. The second indicator will be when Adobe has successfully convinced the bug finders to disclose holes to them instead of publishing them online.

The bottom line is that the changes announced today by Adobe are welcome and we all hope that Adobe sees immediate improvement across their install base.

FBI Citizens' Academy, Week 5

Wed, 20 May 2009 09:11:49 -0800

Week 5 of the FBI Citizens' Academy was mostly dedicated to counterterrorism.

First we received an overview of the counterterrorism program from the local assistant special agent in charge for the counterterrorism group. The number 1 priority of the FBI is to protect the United States from a terrorist attack. This includes protecting US interests and citizens both locally and located abroad. We learned about the joint terrorism task force (JTTF) that makes up federal, state and local law enforcement personnel. The JTTF acts as an integrated investigative force to combat domestic and internal terrorism. Here in the Bay Area we also have a northern California regional intelligence center, also referred to as a fusion center. After the overview, speakers led the class thru 2 separate case studies. The first of domestic terrorism related to individuals harming local university professors that worked in areas where animal tested is involved. The second case study demonstrated a case of international terrorism. In this second case, a local bay area resident was found supporting terrorists on foreign soil by monetary means.

The evening ended with a quick discussion of InfraGard. InfraGard is a partnership between the FBI and the private sector for information sharing and analysis. The partnership works towards preventing hostile acts against the United States.

Why Common Risk Scores Matter

Thu, 14 May 2009 08:47:49 -0800

The date is May 12th 2009 and you are a mild mannered IT manager anticipating a single bulletin from Microsoft and a possible update from Adobe. The team has their assignments; their computers are locked and loaded. The team is ready to execute on the planned patch release mechanisms.

At 10AM Pacific Microsoft releases their patch on time. The single bulletin is the anticipated bug fix for the PowerPoint vulnerability. Some members of the team are a bit agitated by the high CVE count and the lack of updates for the OSX Office platform. You are able to quickly refocus the team and move forward. Hours later, rumors hit that not only did Adobe publish their fix, but also Apple released a new revision of their operating system.

In fact both of these things happen and OSX 10.5.7 includes fixes for 67 vulnerabilities. Together the Apple, Adobe and Microsoft patches account for 83 CVE fixes. Now the team is seriously disheartened. Your job is to draw the group together, review the unexpected workload and set priorities. Did I mention that because of the economy, your team is now smaller, but doing just as much, if not more work.

Microsoft produces their risk categorization. Adobe employs yet another risk methodology and Apple also defines bugs in their own way. The lack of any common metric across the three vendors in combination with the additional calculus needed to accommodate your internal risk equations equals uncertain resource drain.

On any normal Microsoft patch Tuesday, most enterprises IT teams have their risk calculators in hand and resources at the ready. Some teams split up the duties between client and server vulnerabilities. Others take the highest risk first no matter where the bug lies. Either way, the security team adapts in order to deal with the Microsoft specific criticality ratings and their exploitability index.

The same thing ensues on an Oracle CPU day. And even when smaller vendors like Adobe release bug fixes, most enterprises know how to massage the vendor specific risk data into their own risk profile equations. This data manipulation is a completely avoidable step.

CVSS (Common Vulnerability Scoring System) version 2 was finalized two years ago. Even before that, CVSS v1 was in play for a number of years. While everyone recognizes that there are some shortcomings with the standard, it is nonetheless a common means to reliably communicate information about risk. It enables vendors to consistently distribute quantifiable information to enterprises who then use this data in their own decision-making engines.

So with this industry wide tool readily available, why is it that today enterprise IT must differentiate and discriminate the various meanings of the word 'critical' from multiple vendors?

On a day like May 12th 2009, enterprise IT had a whole range of decision making to perform. Which bugs were most important for my enterprise? Where do the greatest risks lie and which patches should be tested and delivered first? Do you tackle the low hanging fruit or the higher risk and possibly more cumbersome patches first?

These decisions are made countless times every year as vendors release patches. Unfortunately for those in the trenches, too many valuable resources are consumed with just trying to normalize the vendor datasets. If all vendors across the board delivered data with standard metrics, then at least enterprise IT would be in a better position to handle the inevitable changes smoothly and with minimal disruption.

May Patch Tuesday - Fear Not the 14 CVEs

Tue, 12 May 2009 11:22:06 -0800

Why couldn't Microsoft have kept things easy this month? Last week Microsoft's advanced notification information spelled out a single bulletin for PowerPoint. Given the single outstanding publicly known vulnerability in Microsoft's products, May patch Tuesday certainly looked like it would be an easy one. Alas, we did receive a single bulletin today, but with it came 14 CVEs and a note of more to come.

Don't get caught up in the details

First thing to take away is that newer Microsoft Office products carry on signs of being more secure. Office 2007, with its new office file format, continues to present lower risk levels. Even in the face of zero day bugs like those of Excel in February and now PowerPoint, Office 2007 was noticeably less affected. Now with the PowerPoint 4 format being totally retired, managers have more ammo than ever to go obtain budget for upgrades.

The second important piece not to overlook is that more patches for today's bugs are due out soon. Microsoft recognized that these bugs also affect the Mac Office products, but don't have patches available yet. Releasing patches for only piece of their product line and leaving the Mac users out in the cold is unlike Microsoft. However, given that current exploit samples were less functional on the Mac and given the market share dichotomy between Office Mac and Windows, the split release cycle is understandable.

The third piece of today's puzzle is that after you look over the mass of CVEs patched; don't forget that one of them is the known zero day bug that was described in KB969136. This means that Micrsoft not only patched the known zero day bug as promised, but also went much further at delivering a more secure Office product lineup.

FBI Citizens' Academy, Week 4

Wed, 29 Apr 2009 15:34:46 -0800

Week 4 of the FBI Citizens' Academy: Violent Crimes, White Collar Crimes and Civil Rights Crimes.

The mission of the FBI violent crimes program is to:
* Effectively address those violent crimes that pose significant risk to citizens of the US.
* Reduce incidents of crimes against children.
* Address other major violent crimes to include Indian Country, transportation and other special jurisdiction crimes.

Common crimes include bank robbery, kidnapping, and extortion. The presenter referred to the uniformed crime report (UCR) for anyone wanting the most up to date crime statistics. He did, however, highlight some interesting statistics. According to the 2006 UCR, there are only 2.4 sworn law officers per very 1,000 inhabitants in the US. Further, according to a number of news outlets, nearly 1 in every 100 adults is behind bars.

The presenter turned our attention to criminal gang activity nationally and locally. According to Morgan and Quinto press, in 2007 the most dangerous cities included Oakland at number 4 and Richmond in9th place. Gangs, as the presenter taught us, fulfill social needs for their members. Whether it is the mimicking of an extended family, creating social or ethnic bonds, the gangs provide members with an identity that is represented by their clothing, hand signs, graffiti and tattoos.

White-collar crime efforts fall into 2 areas of the national FBI priority list - #4 combat public corruption at all levels and #7 combat major white collar crime. Crimes that typically fall under the white-collar division include public corruption, corporate or securities fraud and health care fraud. Of these crimes, the most up and coming are financial fraud including mortgage fraud and Ponzi schemes. The FBI investigates public corruption cases and provides check and balances in the criminal justice system because agents typically have fewer local and political ties.

The final topic for the evening was civil rights. The FBI is the primary federal agency responsible for investigating all allegations of civil rights violations. Selected crimes involving civil rights allegations include: hate crimes, color of law, human trafficking and freedom of access to clinic entrances act.

RSA 2009 Recap

Tue, 28 Apr 2009 13:43:50 -0800

Hard to believe, but RSA 2009 was just last week. I found it to be a very successful show and now it's my turn to recap.

Themes
Every year the marketing team tasks me with finding themes at the show. In no particular order, the top themes between the talks and the booths were: virtualization, cyberwar/cybersecurity, and compliance/policy/regulation.

Attendance
During the first part of the week, I had noted that the attendance appeared to be dramatically lower than usual. To my surprise, as the week progressed, the attendance appeared to be on par with prior years. In fact, a member of the RSA conference PR team emailed me to say that the unofficial count for 2009 is less than 15% off of prior years. Considering current news of financial cutbacks, a drop in less than 15% would appear to be pretty good.

Best Event
Without a doubt, the security bloggers meet up on Wednesday evening was the week's highlight. This was a great chance to chat candidly with bloggers, press and friends.

One Thing I Learned
The Virtualization Security Panel opened up slew of new thoughts for me. Hopefully, I'll have some time to both implement my ideas at work and share them in a blog post.

Special Thanks
Special thanks to a number of journalists who let me share some time with them: George Hulme, Dennis Fisher and Ryan Naraine

All my blog posts from RSA 2009.

RSA Virtualization Security Panel Review

Thu, 23 Apr 2009 15:31:50 -0800

Putting Simon Crosby and Chris Hoff on the same panel to discuss virtualization security is a recipe for a good lively discussion. At the end of the panel, the audience was not disappointed. In addition to Crosby and Hoff, the panel also included Michael Berman of Catbird and Stephen Herrod of VMware.

The discussion started with some hi jinx by Crosby and Hoff. Crosby handed out gifts to the panelists that included a broken toy sword and a ball and chain. Hoff gave out cigars, one notably much smaller for his nemesis, Mr. Crosby. Despite Chris Hoff's sometimes-flamboyant style, he initially came out mild mannered and on an even keel. His moderate, centrist and thoughtful approach lasted throughout the discussion. Conversely, Simon Crosby of Citrix and huge proponent of Xen spent most of his time trying to put VMWare into a corner. Crosby touted Xen as the most secure hypervisor system because of its open nature and its continuous real life testing because of it's use as the foundation of Amazon's EC2 offering.

Despite the moderator's attempts to encourage the panel to discuss real world security implications of virtualization, the topics kept going back to the implementation and security of VMware products like vShield. In the final moments of the session, the panelists did finally provide a few recommendations worthy of implementing today. One of these nuggets was that insight included most of the security basics necessary for all systems, virtualized or not. Examples of these basics included using configuration guidelines, creating operational plans that include security and risk considerations and building architectures that consider the security implications of the entire virtualization life cycle.

Overall, the virtualizations security panel was entertaining and insightful.