Secu RE marks

Upcoming interview w/ Barbra Symonds

2008-04-25T16:54:00.002-04:00

An interview with the Barbra Symonds, Associate Partner with IBM, and former IRS Director of Privacy & Information Protection, and before that project manager for the Veteran's Administration's Privacy policy will appear on the cippguide.org site within the next 7 - 10 days, pending approval. It was a great interview, with some timely comments on the state of information security and information privacy.

Secure Messaging Gateway: An Ironport Review

2008-03-26T09:38:00.013-04:00

Over the weekend, I did a lot of reading on a company in the mail gateway business called Ironport. I mean a lot of reading. This was another consolidation (see Why behemoths buy startups & March 08's Information Security Magazine's Schneier/Ranum Face Off), with Cisco snatching up the market leader.

I read about capabilities, product offerings, market penetrations, strategic positioning, competitors and magic quadrants. All of this was at the urging of a friend of mine at Cisco, and how this product would drive profits for the company for the next several quarters.

I did a similar exercise for my boss with respect to Postini, and their SOA mail security capabilities purchased by Google in 2006 (More on Postini in a future post). I expect his interest is due to the encrypted email gateway.

So what did I learn. First, both of these guys lay claim to reputation based filtering. One holds the patent (Postini, more on this in a later post) and one has it widely implemented, maybe even longer than the patent was applied for (if so, of course that would invalidate the patents).

Gartner thinks Postini would only use those patents defensively. I wonder what would happen if a new Executive management team came in at the search giant... Cisco has deep pockets, but Google's "do no evil" mantra should keep this out of litigation. Why? Because Ironport gateways are installed worldwide, and their reputation filters handle 5 Billion email messages. Per day! They calculate that's over 40% of the mail traffic worldwide. From that traffic analysis, they push threat updates in near real time (every 5 mins).

I'd say that is doing no evil. John Chambers likes monopolies. Ish (for the Justice Department and the Sherman Anti-trust Act). Cisco has 80% of the router and switch market. A lot of companies say 'Does it have a Cisco tag on it? Yes? Then it can come into my network...'

In addition to the reputation filters, Ironport has several other unique features. They built their gateways on a modified FreeBSD OS they call AsycOS. AsycOS' security includes a limited port attack surface, reputation based filtering at the connection level, an LDAP/Active Directory integration that drops mail for invalid addresses without the Exchange & Notes wasting their CPU cycles and disk space. Performance enhancements include a non-blocking I/O write cache (disk access IO is their major bottleneck), and intelligent mail transfers (check to see if a domain is up before sending), and per receiving domain message queuing. Lastly are the management features, including an intuitive, web based GUI (it really is pretty simple), a three tiered rule set deployment, and a peer-to-peer control structure. For disconnected users, there's also an email gateway. And of course, they have tons of case studies from recognizable names like Dell, Virgin, Ryder, Johns Hopkins, etc...

I expect Cisco will increase Ironport's distribution throughout the messaging space. Now we just need Microsoft to buy Tumbleweed (the other upper right magic quadrant product) and the big mergers and acquisitions will be complete.

Certified Information Privacy Professional

2008-03-18T13:15:00.006-04:00

Privacy and Information Security have always gone hand and hand. When discussing the three tenets of InfoSec (Integrity, Availability, and Confidentiality), confidentiality typically envelops privacy. In the networking/computer world, this privacy normally references encryption or separation (duties, networks, equipment, etc). I deal with these aspects on a daily basis, and the knowledge base for these topics and individuals practicing them is quite large (CISSP). However, as I'm quickly finding, there are unexpected elements of Privacy (compliance/regulatory, for example) where I am quite ignorant.

Over the next few weeks, I'm preparing for the Certified Information Privacy Professional examination offered through the International Association of Privacy Professionals. Hopefully, there will be a few details on my new Information Privacy blog that may be helpful to the community at large.

Are you at risk? Bogus Entries on Networking Sites & it's impact on personal branding

2007-10-08T14:13:00.000-04:00

Original Post on 12-Jun-06 9:24pm
The Information Assurance (IA) industry is quite small; the same major players are known throughout everyone's circles. Gene Spafford is the GodFather. His legendary research into the security arena influenced most (read all) computer science/engineering students since before my time, and his contributions through Purdue's CERIAS department still push IA research. Martin Roesch designed the Snort Intrusion Detection System, considered by most as the only open source IDS deployable in a true operational environment. And Stephen Northcutt, the Director of the SANS Institute and originator of the SHADOW IDS from the Dahlgren Naval Surface Warfare Center, advertised by many as the first Network IDS. All of these men are well connected, and their reputations don't do their contributions justice.

So recently, in the midst of finishing my graduate studies and a shakeup within my current company, I thought it might be a good idea to clean up my resume. I've written a few papers, passed a couple of certifications, and spent time with a few companies. When I do a vanity search, I come up with a half dozen hits. Not bad, but those hits don't cover most of my work. In the wake of my recent schooling on the importance of marketing, I decided I should begin building my personal "brand". That's about the time I received an invitation to join "Linked-In" from a former colleague, and I started examining the networking sites. What a way to rediscover my contacts! Linked-In claims 6 Million users. The US has a population of roughly 240 M. And think who actually joins these networking sites: Information Technology or other well heeled white collar workers. I went through my stack of business cards, and found 100 or so people I'd met, be them vendors, University contacts, or colleagues. Each person that joined added a couple more names I recognized, and everything kept growing.

Now for the funny part. Remember about the size of the IA industry. The major players were already on the site. I sent them invitations, and received word back from most of them. Until Northcutt. I found him on the site, and posted the invite, expecting a quick note back saying hello. Instead Stephen Northcutt writes: "For real, I am not a member of LinkedIn, that is weird."

I sent him a copy of "his" profile, to which I received: "That is awesome, and that was my job title back in 2004. Anyway, I promise I am not a linked inner". I started thinking about what could actually happen with irresponsible/malicious use of these sites. What could branding theft hurt? I could see networking impersonation benefits, people sending invites based on your status/reputation... They put together a huge email list of the best/brightest of your contacts, those that are the most "linked-in". What happens when they ask for introductions, based on your title and prestige, to other top connections. Think about "you" asking Spaf or Marty for introductions to their 600 or 1000+ contacts. Or better still, a VC evaluator, someone like Becky Bace, another IA heavy weight. Your contacts happily oblige the introductions. It's no longer a cold call for the imposter.

The reason I bring this up is simple. These are security experts. Stephen has a list of accomplishments that most people dream of for an industry reputation. I mean, he started an Information Security training institute. How would he ever know he'd been duped? And how would it be corrected? If the security experts miss this, what about you?

Hacking "Linked-In": Working around the social part of social networking

2007-10-08T14:12:00.000-04:00

Original Post on 14-Jun-06 4:50pm
I use "Linked-In" for a social networking, and online contact management tool. It's quite convenient, nearly a true peer-to-peer instantiation of a friend of a friend tool (at least in the free version) and pretty indicative of most of these sites. In order to connect with someone, you either must have their email address and send them an invitation, or ask someone you're already connected with for an introduction, all brokered by Linked-In. I say nearly a true peer-to-peer social networking tool, as there are a couple of ways to bypass their system. Take a look at the following "Linked-In" profile:

Computer & Network Security Professional
Greater Los Angeles Area | Computer & Network Security
Experience:
Sales
Northrop Grumman
Computer & Network Security Industry
1985 - Present (21 years)
Business Development Manager
Lockheed
Computer & Network Security Industry
1995 - 2006 (11 years)
Business Development Manager
Boeing
Computer & Network Security Industry
1995 - 2006 (11 years)
Business Development Manager
Northrop
Computer & Network Security Industry
1985 - 2006 (21 years)
Business Development Manager
Blue Lance
Computer & Network Security Industry
1995 - 2006 (11 years)
Sales
Decision One
Computer & Network Security Industry
1995 - 2005 (10 years)
Business Development Manager
Pacific Bell
Computer & Network Security Industry
1995 - 2005 (10 years)
Business Development Manager
DecisionOne
Computer & Network Security Industry
1995 - 2005 (10 years)
Business Development Manager
SBC
Computer & Network Security Industry
1995 - 2005 (10 years)

I received this yesterday as a "Colleague" connect request. If your years at a specific company or school overlap with someone else, a feature within the site allows a bypass mechanism. Your message is automatically sent without any outside broker (introducer/friend) or previous knowledge (an email address). It appears that this gentleman was a very rich, and very busy boy. In fact, since 1985, he "worked" at 7 major companies simultaneously. The only people I know afforded that sort of leeway are consultants, and they aren't business development managers (the SEC frowns on this, something about overlapping strategies and oligopolies). All of his employers are in the Computer & Network Security Industry, and security's a hot market, so my guess is, he's a head hunter, or maybe a mass marketer selling niche email lists. Or maybe, he's a corporate spy. Probably not, but that's the security guy in me.

I bring this up for user education. I personally found several University classmates I hadn't talked to in over 10 years through this same feature. And there is a temptation for networking with this guy; it appears over 177 people accepted his invitation. The only question really is how many of them he actually knows. Thankfully, you still have to choose to link with your contacts. Linked-In gives you the option of reporting the user for agreement violation. Just think before you click. If it doesn't look right, it probably isn't. What's a social network if there's no value in who you're connected with?

Why the Behemoths Buy Startups - The Business of Research & Development and Fortune 500's

2007-10-08T14:11:00.001-04:00

Original Post on 16-Jun-06 3:47pm
The booming 90's and the tech bubble produced some of the fastest paths to riches, especially for entrepreneurs. Startups with good ideas were quickly snapped up, without even a completed product. Thankfully, that exuberance burst, and the idea must at least be fleshed out. This system nearly makes corporate R&D budgets redundant and cost ineffective.

First, a bit of history: in the olden days, companies handled research and development in house. Costs for a mainframe computer were more than all but the largest organizations could afford. Think of Xerox PARC. The company developed everything, from the copier to the mouse, most dependent on computers. Most other companies couldn't afford the R&D costs/staff for such a lab, and it was just too much of a risk exposing the fruits of lab's labor, the intellectual property, to any external companies. The case law building the legal aspects of technology transfer were in place, but not as well defined as today. Later, University sponsorships gained popularity for their pure research aspects, where the technology was not normally developed into anything tangible, and instead transferred into the in-house labs. As time wore on, companies sponsored research with other companies, sharing the huge expenses, risks, and splitting the final rewards.

Compare this work to the more recent PC era. Anyone could do basic research or software creation with their own IBM clone and a little programming knowledge; the costs of entry were extraordinarily reduced. Smaller companies like Microsoft, and later Cisco in Networking, could compete in a fledgling industry with a first to market or lowest cost marketing advantage. These tiny companies make changes in response to new opportunities and define new strategies faster than their process oriented, large-scale opponents. Also with the PC and computer age came a slew of technology case law and boundary pushing patent applications. By the 90's, business process patents began covering the hyperlink, one click purchase, and wireless email. Several of these came out of smaller, less well funded companies.

Fortune 500 corporations' R&D couldn't keep up. They became less integral to the company's bottom line. The R&D expenses associated with the larger companies became a drag on the company's profits and thereby susceptible to outsourcing. The new technologies necessary for a company's business were protected by the more lenient laws, and licensed by the smaller developer to multiple big companies. This eliminated any competitive advantage for all of the licensees. So, most big companies spun off their R&D departments, creating autonomy and more nimble, competitive organizations, or essentially, well funded startups.

Today, to replace the lost product enhancements and cutting edge capabilities created in-house, Fortune 500's began buying the smaller companies with market changing intellectual property or patents. By incorporating those products into the larger corporate vault, they also took away any competitor market balancing licensing or product copying techniques. This trend continues today, virtually eliminating the in-house Research & Development departments, and instead, allowing upstarts with great ideas the profits.

Who do you trust? Why would you trust THEM? - Authentication mechanisms and their computer analogs

2007-10-08T14:09:00.000-04:00

Original Post on 19-Jun-06 2:42pm
The issue of trust is a big deal. The only time anything is for sure about you is directly out of the womb. Think about it. Doctors make mistakes and switch babies (The Omen). Adopted infants may not be told anything about their birth parents until age 18. DNA tests and lab mistakes incorrectly label genetic deficiencies. Identity theft (Catch me if you can). The list goes on. So what happens? You notice genetically dominant/recessive traits. You get a second opinion or follow-up test. You check your credit. You have multiple people vouch for you.

So how well does this work in the computer realm? Information security experts typically suggest digital certificates, a kind of "drivers license" if you will. Think about when you go to your bank's website. Ever notice the https in the address line or the small lock in the bottom corner of your web browser. Those are both signals of digital certificates. If you're ever curious or bored one day, actually double click the lock icon, and you can see who you are trusting. It may surprise you in some instances that the only computer "trusted" is itself. This is the equivalent of me coming up to you at a networking event, and handing you my business card. I could print whatever I want on it, and you would probably believe it. In the computer realm, this is why phishing works.

If you were really interested in doing business with me, you might try to verify my card, by calling my company, and for more verification, my HR department. Or better still, do a Dunn & Bradstreet or SEC filing search for my company's credibility. All of these have equivalents in the digital world. After you double clicked the lock icon, you may see the company's name, or an Internet Service Provider. If it's a really big bank, you'll see higher and higher levels of assurance, from companies like Verisign or Thawte, that the computer is who they say they are. All of these may be forged or manipulated. They are only akin to a driver's license. Your bank brought in a birth certificate and social security card, but nothing more.

More recently, banks began putting a second "factor" of authentication on their sites. Bank of America uses a picture you select from thousands of choices. If, after they verify their side with the aforementioned certificate, you see a picture other than the one you chose, there is a trust issue. You shouldn't continue with the bank transfer of large sums of money between "your" accounts.

So how do you generate trust? References or referrals seem prudent. If you start with people you already trust, it's even better. And you trust those people because they haven't given you any reason not to. That's why the undercover spies are so effective. They're in place for 5 or 10 years before they receive the call. This is also why informants/traitors work so well. As an insider threat, they already have access to whatever information's deemed valuable, and were finally given an offer they couldn't refuse. You've seen how to avoid this in the cold war movies. Two people have two keys with keyholes on opposite sides of the room. The keys must turn at the same time to launch the nukes, or shut down the reactor core, or whatever the major drama.

More recently, companies like Innerwall and Securify, as well as stalwarts like RSA, Microsoft, and Cisco, provide potential solutions. All have advantages and deal with the end computer, but most may be gamed. They are really only applicable in corporate settings where IT's additional software is in place, and are typically based on digital certificates.

The most interesting solution comes from Innerwall, where a computer earns trust. The basis is differentiation. The computer type determines a great deal of the believability, due to physical controls, like good old fashioned locks and security guards. Servers are more trusted than PCs, which are more trusted than corporate laptops, and the trust continues down through remote corporate laptops, PDAs and eventually non-corporate laptops. The amount of time the computer is on (uptime), and peer-to-peer elections determine even more trust. If an end host has software that checks and makes sure the computer is "in-line" it receives additional trust. All of this information sums, similar to references and background checks. If a computer "leaves" for a brief stint, or acts remarkably different/erratic, he loses some credibility, which must be earned back.

I still see this solution's weakness analogous to the double agent or sleeper cell. A stolen corporate laptop exposes the vulnerabilities of the software and settings. The idea is that the computer's not trusted enough to do any really damage. And you eventually must trust someone, right?

Want not be hacked? Security Vendors - why less is more!

2007-10-08T14:07:00.001-04:00

Original Post on 10-Jul-06 5:30pm
The IT industry loves advanced technology, even to the point of gadgetry. Some immature technologies are adopted simply for the gee whiz factor. Others have a specific niche application, and are money well spent. The IT staff spends time and effort integrating the new application into the enterprise architecture, and then rolls out the first release. Security in the past relied on these new, hot technologies; they were stand-alone, and the architects selected the best of breed product after a trade study or bake-off.

This methodology worked well in the past; each new piece added received its own separate command and control structure and performed its stove-piped duties. Routers begat Firewalls begat Anti-virus begat IDS begat… IT spent more time distilling information, managing products and filing RFPs, and less time making the company more efficient/profitable/secure. Other niche vendors offered Security Incident Management products, hoping to ease the burden and consolidate Syslogs and IPS reports from disparate sources. This produced another product management specialist or further taxed the existing staff.

As happens with maturing industries, vendors consolidated (see Why the Behemoths Buy Startups - The Business of Research & Development and Fortune 500's.) The larger companies' integrated products became more easily managed, required less staff, and fewer end operation center consoles. The new product line also reduced operations center specialization. And yes, for you back-office folks, from a business perspective this lower cross-training is a benefit. Have you ever seen the pay checks for a really good UNIX admin?

Single vendor implementations have one other major advantage: outsourcing. A mid-sized restaurant business doesn't make money on the latest security roll-out, and would be better served paying lower total ownership costs to someone else familiar with those services. The Managed Security Service Providers are more than happy to oblige. MSSPs like dealing with a specific product set. They will take an upfront hit on replacing a few customer security products with their preference for later recurring revenue streams. Replacement simplifies their monitoring through use of the single vendors management and reporting tools bundled with products. And they can claim the latest releases with minimized testing and upgrade headaches. After all, the single vendor is responsible for the interoperation.

Some readers may ask: "What about the best of breed? Firewall product X is 15% more efficient at 95% bandwidth utilization and…" or "Antivirus product Y has 12 more virus signatures with…". One word: commoditization. Honestly ask yourself, by the time a head-to-head comparison reaches print, do you think Cisco, Symantec, or Microsoft have not already incorporated/road mapped whatever features they lacked? Major vendor mitigation strategies or defense in depth approaches abound, and the small players will not hold the top spot for long. They will be bought, or made inconsequential, as a great idea that everyone else incorporated. Ask the product set vendors. They're more than happy to tell you how they've already overcome those anomalies. Their products are "good enough", and will surpass any competitive deficiencies through sheer programming muscle

This single vendor solution is by no means perfect. Each new acquisition requires a release just to change the startup screens and badging. After the first major revision, the acquirer's developers typically figure the new product out, and harmony returns to the vendor's product set. The "commodity feature" incorporation into existing products may likewise take a programming cycle, maybe even two. Your individual product security may suffer slightly, but the tools working in concert produce a higher security, complete solution. The advantages far outweigh the detractors.

Want to hack ANYONE's computer? Just follow Microsoft's lead!

2007-10-08T14:03:00.000-04:00

Original Post on 13-Sep-07 7:37pm:

In an interesting move today, it is reported that Microsoft is silently updating Windows XP and Vista. I emphasize silently. Remember Sony's rootkit debacle? There are no reports of problems, but when my machine mysteriously decided on its own that it was time to reboot in the middle of a presentation, it made me look bad, and question my IT staff. We don't have auto update turned off, but several of our customers do because of patching and regulatory restrictions. And this patch occurs even in the instances where customers turned off Windows Update!

Lo and behold, Microsoft itself granted privileges on every single XP and Vista system. With all the discussions about how trustworthy and secure new versions of Windows are, and the publicity surrounding Sony's music CD installations, it stands to reason that Microsoft would not want this capability under any circumstances.

So what does this imply to an information security professional? A back door. Cisco, Symantec, and McAfee all claim their security products are rock solid, and because of encryption, digital rights management, and other safety precautions are safe to use. In their NACAttack presentation at Black Hat 2007, Dror-John Roecher and Michael Thumann showed just how safe Cisco's security protections are, and how complexity breeds difficulty in security. Cisco puts in a ton of security measures so that hackers can't connect to the network, and these researchers cracked it. Why make it any easier for an attacker, by giving them yet another vector to "update" files in the Operating System.

I don't care if all of this is for the betterment of my computer experience; if I don't want it, or insist you ask me about, you're obligated to do just that. Explain the risks to me, then ask if I'd like to install it now. That way, if I'm in the middle of a presentation for a multi-million dollar sale, I can quietly decide that now's not the best time for an update.

Want to avoid wiretaps or questionable search and seizure? Try a secure computer on USB

2007-10-08T13:11:00.001-04:00

Everyone wants a certain comfort level, especially with computers. You like finding your programs on your system. You want your bookmarks in FireFox or your buddy list on Instant Messenger. What if you were able to do carry all of this on a USB thumb drive? In fact, what if you were able to bring your entire "computer" with you on a USB memory stick? How could you hope to secure it against viruses, keystroke loggers, or even un-trusted/hostile networks? What about other users poking around for your files, or maybe reading your emails?

Not long ago, I watched a show on Bravo called "Flipping Out" (actually my wife watches, and I'm in the room… honest.) where the protagonist, Jeff Lewis' computer was changed by an employee, and Jeff couldn't use anything. Sarah Jessica Parker's character in "Sex and the City" had a nervous breakdown when she had to go to a new computer. The success of the Geek Squad, and a quick Google search for Computer Help show it's a big problem. Microsoft made a big deal of their Windows Easy Transfer upgrade process from Vista to XP. You should be able to see where a "portable" computer could be useful, especially if you travel a lot. I'm talking smaller than just a laptop.

One of the earlier "modern" portable OSes was a minimized Linux distribution designed to fit on a CD. Knoppix was one of the first "computers" compacted enough to be portable with features like OpenOffice, web browsers, and email access expected in a recent desktop. However, the security provisions were originally lax. Now, with Virtual Machines (VM) from VMWare, Xen, and Microsoft all the rage, you'd expect several possibilities. I'd like to discuss one in particular, designed completely around security.

A few of the guys from the Cult of the Dead Cow, the security researchers/hackers that released Back Orifice to Microsoft's dismay in the 90's, started a quest for a secure portable computing system. Steve Topletz created xB as a result of this work, and demonstrated the product at DefCon 15. The description of the product from the xB website:

"xB Machine is the Secure Virtual Workstation™ that provides a safe computing environment for personal, professional, and corporate use. It is the ultimate user security and privacy tool, and the flagship of the XeroBank product line-up. Use it for safe and anonymous internet, surfing, email, encrypted messaging, and financial transactions. Put your computer in your pocket by placing xB Machine on a flash drive; thanks to virtualization technology it will be the same no matter where or on what computer you run it."

So what does a system like this give you? Probably not much unless you're paranoid, but the idea is nearly complete anonymity. The encryption on this system is stronger than what the NSA requires for Top Secret information. In fact, the Advanced Encryption Standard cryptography should be sufficient protection for the next 20 years. This protects against immediate disclosure of the system in case of a lost or stolen key. There is also a zeroize feature, where if you enter a password the entire key will erase itself. The software pre-loaded on the system also pushes anonymization, as well as network connections incapable of snooping.

From what I've seen, the system takes care of data at rest, in transit, and in use. The only thing I can think of is sharing data appropriately. There are devices on the anonymous TOR network that could allow secure file transfer through SFTP. There are applications for this work, although its release makes Intelligence collection (think terrorists) nearly impossible when used. Then again, newspaper advertisements work even better. Anyone seen Breach? In using the system, my observation is its speed is a bit slow. But think about what you get. How paranoid must you be before you find this necessary?

Why would someone create such a cloak and dagger machine? We live in a capitalist society, and although this does contribute to the security body of knowledge, my guess for the real reason for the system: sales of the high speed XeroBank anonymous network connections. Everyone has their motives, and people will pay especially when it comes to security.