I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, "Shifting focus: Aligning security with risk management."
I liked the opener, about what it's like for executives to talk to security professionals, and the difference between what might happen and what's likely to happen. The screenshot is from a discussion of how to play Russian Roulette.
I also like the way he critiqued best practices (you'll have to watch). It's a little hard for me to assess his risk management methodology from a podcast, but it's a very worthwhile 45 minutes.
(Now only if he had some Kandinsky in there, I'd have no doubt that the Risk Management Insight Institute, which Jack heads, is part of what we call the "New School.")
Bookmark this post:

PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm.First let me say that I'm fond of the phrase "paid his debt to society." It's out of fashion, but it used to mean that someone, after their sentence was carried out, was done. That they ought to be allowed to get on with their lives. I've publicly commented on Frank Abagnale being in this class.Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee at Lemaire Consultants & Associates, which specializes in computer security and system development, a spokesman for the former trader, Christophe Reille, confirmed on Friday. (" After Trading Scandal, Banker Gets I.T. Job," The New York Times.)
Kerviel clearly understands how to get around IT controls. I expect that there's a great deal which he might be able to teach people about what's important in security design, and some about what isn't. (His ability to generalize his approach hasn't been tested yet.)
At the same time, he hasn't yet been tried for his actions. What would be the right framework for making a hiring decision like this?
Photo: REUTERS/Benoit Tessier
Bookmark this post:
Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time.
I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I've read. It would likely be number one. I have high expectations for the second edition, stemming in large part from the author's academic discipline.
How many security titles have a 104 page bibliography?
Bookmark this post:
The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.See the CVE News page. I remember proposing that we have a CVE-1. I'm tremendously proud to have helped get such a useful thing off the ground, and really happy for the CVE team.
Bookmark this post:

In his inimitable way, Illiad has hi-lighted that the miscreants have moved from the operating system to the applications.
Bookmark this post:
[Update: If you want to see all the threat modeling posts, they're at Threat Modeling SDL blog posts. They're displayed latest to oldest, which we're looking into.]
Bookmark this post:
Dubai, as Adam pointed out, is in something of a branding quandary. A hard line - some would say a retrograde and counterproductive line - on victimless crime doesn't mix well with an image as a fun spot for the well-heeled.
Meanwhile, there's this (from Emirates Business 24-7, retrieved 2/21/2008):
Dubai-based banks are recruiting former hackers to shore up their information security systems, said an information technology expert.(emphasis mine)Addel Wahab Ahmed Mostafa, an IT consultant and chief of the technical committee at information company UAE Data Warehouse PM, said banks were hiring hackers in a bid to stay one step ahead of potential breaches.
Most of the big organisations are employing ex-hackers.
In Dubai banks are hiring hackers to protect themselves because how else do you protect yourself from hackers?
You must figure out the measures they use and use them yourself.
He said 60 per cent of hacking originated inside organisations or was carried out by former employees.
I see a mixed message being sent here. And by the way, from the tone of the article it is clear the "ex-hacker" doesn't mean "broke the law ten years ago", so let's not start that flame war.
Bookmark this post:
As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys. In it, they DRAM can be stripped (even after a full shutdown) of passwords and encryption keys. It turns out that DRAM doesn't lose it's memory immediately even after losing power. As a result, they have been able to successfully extract keys for Bitlocker (Vista), TrueCrypt (multiplatform open source) and FileVault (OS X). They can even take the DIMMS out of the target computer move them to another machine then find the keys without interference from the original host OS. How cool is that? I imagine it won't be long before this gets implemented in forensics software and/or hacking tools.
[Via Boing Boing]
Bookmark this post:
Via Kable's Government Computing, comes news that the British House of Lords "Science and Technology Committee has announced a follow-up inquiry to its 'Personal Internet Security' report".
Chair of the committee Lord Sutherland said: "The committee was disappointed with the government's response to its report. We felt they had failed to address some of our key concerns about people's security on the internet.Kable's Government Computing, 2008-02-21"The House of Lords is likely to be debating the report in the summer and to ensure that the debate is as well informed as possible we have decided to seek key stakeholders' views on the government's response."
I speak American english, so I may not be up on the nuances, but I think Lord Sutherland is saying that they're going to line up a bunch of experts to say what absolute dolts the government were in ignoring the recommendations put forth by the Committee last year.
Excellent.
Bookmark this post:
What, might you ask, can we learn from a 30 year old text?
Nothing has changed.
Except, for some of the names. Donn Parker is in there, as are a melange of consultants. But read this:
As the result of such revelations of security weaknesses in IRS computer systems--and, in particular, the critical [date] GAO report--the commissioner of the IRS, while conceding that the IRS had not been as aggressive in the past as it might have been in correcting situations that potentially weakened its overall security, declared that he is committing the IRS to a "vigorous course of improvement" in the management of computerized tax data in order to assure the maximum security for information on taxpayers. (pp71 of the paperback)That was in 1977. Compare and contrast this 2008 Associated Press article:
IRS records, including taxpayer information, are vulnerable to tampering or disclosure because it has not yet fixed dozens of information security weaknesses, according to a government report issued Tuesday.I could go on about similarities between what's in Computer Capers, oh, ok, one more:The existing problems, the GAO said, included giving too many people access to sensitive material, failure to encrypt all sensitive data and weak physical security controls.
...
Acting IRS Commissioner Linda Stiff, in response to the report, wrote that the agency recognizes "there is significant work to be accomplished to address our information security deficiencies and we are taking aggressive steps to correct previously reported weaknesses." (Associated Press, 2008, "Report Cites IRS Security Flaws"
Top management people in large corporations fear that publicity about internal fraud could well affect their companies' trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil... (Computer Capers, page 72)I could go on quoting, but can we as a profession go on making the same mistakes?
The fetishization of secrecy has got to stop, or in thirty years, we'll be looking back at the same problems.
Bookmark this post:

On the beaches of Mexico, they're talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons.
First is the price. About €9,000. Second, there's the performance. A complete DES keyspace sweep in a fortnight. That's not bad. If you think about Deep Crack and what you'd expect from normal semiconductor advances.
The news, however, is that apparently there are banks using two-factor authentication tokens with DES-based keys, and if you're clever, you can break this token with far less than a full key search. You only need to observe the supposedly one-time password (or two or three of them), and then with a fortnight's of computing, you can generate any one-time password the real owner can.
Maddeningly, there are other systems based on AES or some other crypto that aren't at all vulnerable to this attack -- because they have better keys. People who are vulnerable to this attack need not be.
Apparently, these banks have fallen in love with DES. But falling in love is dangerous. It's also negligent, when it's so easy to get shot.
Photo courtesy of Imagem Compartilhada.
Bookmark this post:
I think the key is that it's hard for the average person to read tapes if they found/stole them, but for a moderately-large organization/attacker, it's possible.I think this is a great example of what I call perversity in computer security. When a fellow with the best of intentions is trying to do something, it's hard, and when the bad guy tries it, it's easy. It's like when you want your computer to keep data, it loses it. But when you're trying to delete it, it's awfully hard. Similarly, your computer often behaves in seemingly random ways. But when you're trying to get what cryptographers call good randomness, it's perversely hard.
There's another place this routinely shows up, and that's around the question of "are IP addresses personal information?" If you want to use IP addresses for security purposes, they're notoriously poor. But if you want to use them to invade privacy, they're often good enough. As Eric Rescorla writes in "Uh, yeah IP addresses are identifying:"
It's certainly true that many home users have IP addresses that are assigned via DHCP, so in principle they're dynamic, but that doesn't mean that you don't regularly get the same IP. From what I hear, common practice for full-time Internet connections is to regularly assign the same IP addresses to the same host. The IP addresses change occasionally, but mostly they're semi-static, so the IP address is generally a pretty useful identifier. And of course, even if your IP address does change regularly, it's still possible to cross-correlate activities at multiple sites at the same time.This is up there with my other law: "All Non-Trivial Privacy Fears Come True."
Bookmark this post:
Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they're unable to write a pattern to match "user at domain dot com"?
Kudos to the first person who puts such a pattern in the comments below.
Bookmark this post:
First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report:
TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”House Oversight and Government Reform CommitteeThe TSA official in charge of the project was a former employee of the contractor The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner.
TSA did not detect the website's security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the contractor.”
As for accountability,
Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.
Bookmark this post:
Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user's comment:
Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors - Which “trusted person or organization” is left “that can represent vulnerability researchers whose reputation is at stake when dealing with vendors.”?
Let's assume for a moment that, in fact, there is no one that currently fills this role to everyone's satisfaction. Furthermore, let us assume that (at least for certain large vendors) that while the extant systems more or less works, everyone wishes it were smoother and easier.
How do we improve the situation? Vendors really don't like the vulnerability markets, researchers, quite understandably, fear liability and users just want fixes. How role for a vulnerability disclosure agent straddle this three sided fence? It seems to me that ideally, the agent would be a respected disinterested third party who was preferably a not-for-profit who didn't accept funding from either vendors or researchers. Coming from the corporate side, that sounds like a good balance to me. What say you? Does this make sense? Are there pitfalls I'm missing?
Bookmark this post:
I have been playing with Splunk, for about 45 minutes.
So far, I like it.
I've previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy regex. I have no idea whether I will use Splunk for anything real, but it made a good first impression. Since my budget is zero, the price of the non-enterprise version looks good, too. I am sure that for those of a less penurious station, there are many more fine contenders.
Bookmark this post:
Just because you can't see it, doesn't mean it's not there. Also it doesn't mean you can't figure out what it is.... Much like traffic analysis what you show and how you show it, can reveal a lot about what is going on behind the scenes.
Bookmark this post:
Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and Alex responded with far better explanations and analysis then I had. So just go there and read what they had to say instead.
Bookmark this post:
If you need a change in your life, consider this job posting:
Read on. If you like being the sheriff who cleans up town, this could be for you!Title: IT Security Architecture Manager Needed
Company: TJX Companies
Location: Framingham, MA
Skills: Very strong technical security background in both the mainframe and distributed environments.
Term: Full Time
Pay: DOE
Length: Full Time
Detail:
TJX Companies is seeking an IT Security Architecture Manager who has at least 6 years experience in Information Technology and certification related to the security profession (CISSP, CISA, CISM) preferred.
Bookmark this post: