QOTD - Paller on Smart Meters

The US utility industry has rushed to install smart meters, completely trusting the meter manufacturers to ensure they are secure, predictably without systematically analyzing the security risks involved and without verifying the vendor's efforts were effective against known threats. -- Alan Paller, Director of Research for the SANS Institute
Src: SANS NewsBites Vol 12 Num 25

QOTD on Security

The days of security for security's sake are past. -- Jonathan Gossels, President and CEO of SystemExperts
Src: Economic recovery strategies for information security professionals - Information Security Magazine

QOTD on Safe Online Banking

If you are using online banking you should be using a hardened system that is not used for anything else but online banking.
-- Jay McLaughlin, CIO CNL Bank

Src: Can Ubuntu save online banking? - Computerworld Blogs

QOTD on Tracking

If you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi? -- Kelly Jackson Higgins
Src: Tech Insight: Make The Secure Path Easy For Users - DarkReading

QOTD - FBI on Cybercrime

If we fail to act, the cyber threat can be an existential threat, meaning it can challenge our country's very existence, or significantly alter our nation's potential. I am convinced that given enough time, motivation and funding, a determined adversary will always -- always -- be able to penetrate a targeted system. -- Steven Chabinsky, Deputy Assistant FBI Director
Note: emphasis mine.

Src: FBI Underboss Says Cyber Criminals the New Mafia - www.esecurityplanet.com

QOTD on Security

Whenever information security is mentioned within most organisations there is a collective groan; the board don’t want to engage, staff don’t want to be encumbered and the IT department sometimes lack the guidance to implement anything effective.
[...]
To be attractive, security needs to be cheap to implement, validate, verify and maintain. But cheap must never mean sub-standard and this is the point at which the balance must be struck. -- Martyn Smith
Security On A Shoestring | Business Computing World

QOTD e-Records & Malware

So the malware sits on the doctors laptop, waits for him to log in ... and the malware is reading the data at the same time the doctor is. They [hackers] did not need to log in on your behalf. They did not need to crack passwords. They did not need to go to the hard drive and decrypt the data. They sat in the middle of the application. -- Dr. Taher Elgamal, CSO at Axway, was key in the development of SSL at Netscape
Src: As health data goes digital, security risks grow - BusinessWeek

Infosec Spotlight - OWASP

A quick post to encourage information security minded people to check out events and news from your local OWASP chapter; OWASP has locations in 160 different cities. OWASP "is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software." OWASP meetings are usually free, but often feature state of the art content. I have been to several in the Twin Cities area and have not been disappointed.

Whether you're a student, a government employee, a consultant, or work in the private sector, if web application security is in your scope, you ought to get involved with your local OWASP chapter or at least attend some of their events.

Link: OWASP Website
Link: OWASP Newsletters - OWASP

QOTD on Security

If human intelligence can create technology, it can also devise a way to defeat it.
Src: SIGNAL - AFCEA's International Journal

QOTD on Beta Privacy

Unlike a lot of tech products, consumer privacy cannot be run in beta. -- Ms. Pamela Jones Harbour, outgoing Federal Trade Commissioner
Src: Google Buzz Exemplifies Privacy Problems, FTC Commissioner Says - Digits - WSJ

QOTD on Social Networks

We have no choice but to think of cyberspace as the real world now. It's all become too intertwined to think of it as anything else. If you avoid dark alleys at night in the real world, you should avoid dark alleys online. -- Bill Brenner, Senior Editor, CSOonline.com
Src: Tweeps and Facebook Friends, Let's Smarten Up - CSO Online - Security and Risk

QOTD on Complacent Security

We need to combat the complacency that sometimes prevails in our industry, the way that things have always been done may no longer be the *right* way to do things. Just because your incumbent security system tells you everything is rosy, it doesn't mean you're clean, as many corporations are discovering to their cost. -- Rik Ferguson, spokesman for Trend Micro

Src: Malice in Wonderland | CIO.co.uk

QOTD on Privacy

The fact that you can be auctioned off in 12 milliseconds or less just illustrates how privacy in this country has rapidly eroded. -- Jeffrey Chester, executive director of the Center for Digital Democracy.

Src: Advertising - Instant Ads Set the Pace on the Web - NYTimes.com

QOTD by Schneier

Security systems that are good enough to protect cheap commodities from being stolen are suddenly ineffective once the price of those commodities rises high enough. Application security systems, designed for locally owned networks, are expected to work even when the application is moved to a cloud computing environment. --  Bruce Schneier is Chief Security Technology Officer at BT

Src: Security and Function Creep | Schneier.com

QOTD by Paller

There is reasonably good evidence that nation-states have been taking remote control of computers and power companies for years. If you were a country that might have to go to war with another country, you would put spies in place to map the power systems, identify the weaknesses, and pre-place weapons so that if and when you go to war, you are prepared to do real damage. -- Alan Paller, Director of Research at the SANS Institute
Src: Critical condition: Utility infrastructure - SC Magazine US

QOTD - Schneier on Function Creep

Far too often we build security for one purpose, only to find it being used for another purpose -- one it wasn't suited for in the first place. And then the security system has to play catch-up.
[...]
Sometimes it's obvious that security systems designed for one environment won't work in another.
[...]
The real problems arise when the changes happen in the background, without any conscious thought. -- Bruce Schneier is Chief Security Technology Officer at BT
Src: Security and Function Creep | Schneier.com

QOTD on People & Security

The human element is the largest security risk in any organization. Most security incidents are the result of human errors and human ignorance and not malicious intent. Therefore, it is critical that significant effort is focused on education and awareness to reduce these occurrences. -- Stephen Scharf, CISO at Experian and the former CSO at Bloomberg
Note: I realize that not everyone will agree with this statement. Still, there is much we can do to get people to think before they click.

Src: Weakest link: End-user education - SC Magazine US

QOTD - Mueller on Cats & Mice

"We are playing cat and mouse and, unfortunately, the mouse seems to be one step ahead most of the time" said Robert Mueller, Director of the FBI, regarding the threat of cyber-terrorism
Src: AFP: Cyber-terrorism a real and growing threat: FBI

QOTD - Mueller on 1,000 cuts

If hackers made subtle, undetected changes to your code, they could have a permanent window into everything you do. Some in industry have likened this to death by 1,000 cuts. We are bleeding data, intellectual property, information, source code, bit by bit, and in some cases terabyte by terabyte. -- Robert Mueller, FBI Director (US)
Src: FBI Director: Hackers have corrupted valuable data | ComputerWorld

QOTD on Cybercrime

In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud.
[...]
Hackers are definitely targeting higher-balance accounts, and they're looking for small businesses where controls might not be very good. -- David Nelson, an examination specialist with the FDIC.
Src: FDIC: Hackers stole more than $120M in three months from small businesses

QOTD on Cyberwar

We grew up fearing the mushroom cloud, now we should fear a roomful of hackers with their electricity and internet bills paid for by a government. -- Raimund Genes, Chief Technical Officer of Trend Micro
Src: Britain applies military thinking to the growing spectre of cyberwar - Times Online

QOTD - Infosec R&D

Without effective [information security] research we will continue to fall behind the cybercriminals. Being proactive and moving ahead is necessary for our critical infrastructure, with a combination of government, university, and industry research. -- Timothy Brown, SVP and distinguished engineer, CA Security Management
Src: RSA Conference: Cybercriminals are filling the research gap - SC Magazine US

RSA 2010 Keynotes - Dealing with Sophisticated Threats in Cyberspace without Creating Big Brother

This panel featured Quentin Hardy (moderator), National Editor, Forbes Magazine; Marc Rotenberg, Executive Director, Electronic Privacy Information Center (EPIC); Michael Chertoff, Former U.S. Secretary of Homeland Security; and, Richard Clarke, Chairman, Good Harbor Consulting.

[refresh regularly until 2pm PST for live updates from the conference floor; please note that any errors of transcription or attribution are omissions due to the nature of this live blog]

[Mr. Hardy made a slip of the tongue and talked about "this great concert" instead of "this great conference."]

Mr. Hardy discusses information security issues related to boundaries, privacy, responsibility (govt vs industry)

Discussion of "Cyber Shockwave" by Mr. Chertoff. Counterpoints by Mr. Clarke: there is little difference between attacks from governments vs organized cyber-criminals.

Mr. Clarke: 20-30 nations have cyber warfare capabilities, including the US. Hackers "are stealing anything that's worth stealing," and later said "and we can't stop them." Mr. Clarke then points out the potential of cyberspace activities to increase tensions between countries.

Mr. Rotenberg: points to the need for a debate about what we (government) can and should do. "We need to come up with solutions that are smart." Later, he said "transparency and openness is very important."

Mr. Clarke: "the problem is that the government has discredited itself in the last decade. [...] The cyber command that's being stood up is NSA." Mr. Clarke said that the NSA is "the right organization to defend the military, the wrong organization to defend the public." He then mentioned that the government should not be in the business of snooping; however, it could, via regulation, ask the private sector (tier-1 or backbone ISPs) to do it.

When Mr. Rotenberg said this could be a slippery slope (my words) that would lead to commercialization, Mr. Clarke returned that that would be a role for government, to ensure that ISPs are not simply mining packets with deep-packet inspection (DPI) for pure commercial benefit.

Mr. Clarke: "The stuff [the IT & security technology] is obviously not good enough." Points back to how ISPs can help check for malware on-the-wire, before it hits the enterprise or the home.
[...]
Mr. Clarke: "Cyber-crime is not script kiddies anymore." He then argues the need to talk to other countries specifically about information security.

Discussion about whether the US is engaging in cyber-war activities. Mr. Clarke argued that it would be foolish to think that we are not. More discussion about attribution, preparation, and response.

Mr. Clarke: "Why is the electric power grid connected to the Internet?" He then points to FERC not having enforced regulation.

Mr. Rotenberg: "Privacy ends up being the collateral damage in the cyber-war battles."

Mr. Chertoff: "We are really bad at educating people at operational security." Points to the need to take into account the way people behave (not security people, the average person).
[...]
Discussion about the cyber pearl harbor, and Mr. Clarke said that we should not wait to act until a major event happens because instead every day, we have mini pearl-harbors. Mr Clarke: "We're prosecuting a very tiny percentage of cyber-crime."

Mr. Chertoff: this is a field in which "we need to attack the problem in multiple ways simultaneously."

With respect to cyber-espionage, Mr. Clarke said "we are losing our competitive advantage."

QOTD by Scott Charney

Scott Charney, Microsoft's Corporate Vice President Trustworthy Computing (TwC), gave one of the keynotes at the RSA 2010 conference. Speaking about the need to address the advanced threats and the difficulty of attribution, he said:
We need to start to realize this and think about it in a different way, assign actors and motives when we can, and think about what to do when we can't.
[...]
The attacks are happening at light speed and we need to react in a different way.
Src: Microsoft's new anti-botnet strategy revealed :: SearchSecurity.com.au

RSA 2010 Keynotes - Howard Schmidt

Howard Schmidt, White House Cyber-Security Coordinator

Jokes about the way to "register" for RSA back in the day, using pen, paper, & fax!

Be proactive! Compares security to fire-fighting & early days of fire-departments.

"How do we make things more resistant to the attacks that we're seeing?"

"You all are the ones making the difference," he said, recognizing the important roles that all of us here at RSA play.

Schmidt mentions his work to harmonize, make efficient, and make effective security across multiple areas of government. Refers to President Obama's May 2009 speech about our need for cyber-security.

"You can be FISMA compliant and not [be] secure."

"We'll beat them [i.e. our adversaries] because we will become stronger."

RSA 2010 Keynotes - Defeating the Enemy - The road to Confidence

10AM Keynote by Enrique Salem, president and chief executive officer of Symantec

We can't control what employees say about themselves; we can try to control what they say about the company.
2010 State of Enterprise Security Report: over past 12 months, 75% of companies in survey had had a cyber attack. 100% of companies had a "cyber loss" in 2009 (e.g. internal or external).

Some of the way hackers got in: IMs with malicious links or PDFs with malicious payloads.

[Here comes the "mobile" pitch]

2009 "Sexy Space" worm attack on the Symbian platform.

"Malicious insiders are able to embed new malware in our environments..."

Speaking about the insider threat, Salem said "ultimately, you can never be sure who you can trust."

[nice animation of galaxy-like cloud]

Patching virtual machines should be easier to patch... patch once and all VMs should be updated.

Announcing "Data Insight" to solve data ownership problem to automatically determine data ownership, scan file shares exposed to all, and who is accessing what files.

[Video of Amazon.com CTO]

"Information will be our greatest asset."

Security is about "how do we securely manage diverse environments."

"If we work together, we can help the information economy reach its full potential."

Award for excellence in the field of Public Policy goes to: CSIS, Center for Strategic & International Studies for their work in the Commission on Cybersecurity for the 44th Presidency.

Aware for excellence in the field of Mathematics presented by Ron Rivest. Award goes to: Dr. David Chaum

RSA 2010 Keynotes - Creating a Safer & More Trusted Internet

9AM Keynote by Scott Charney, Corporate Vice President, Trustworthy Computing at Microsoft

What changes in the cloud, and how end-to-end trust is affected by the cloud.

Traditional & more advanced threats. "Why is it so hard to understand the threat?"
5 issues:
1. Lot of bad actors & many different types
2. Many types of motives: espionage, cyber-warfare, predators
3. Attacks look the same, hard to figure out how to respond
4. Shared and integrated domain mingles everything into the cyber environment
5. Worst case scenarios are devastating and scary

"There are millions of botnets in computers around the world, and most of them are consumer computers."

[Slides show Waledac botnet geographic data and other diagrams from recent Microsoft report]

Microsoft used the court process, and blocked Waledac control domains.
 [remove one head of the hydra and another one comes back]

Charnay talks about kid & mom getting the security dialog box and clicking OK.
Analogy with smoking (personal health issue and also health issue for others around you) and internet safety (making sure that you're not polluting the Internet space around you).

Now focusing on the cloud. Was your cloud platform creating with an appropriate Software Development Life Cycle that ensures security is built-in?

How will we do forensics in the cloud? Example of a hospital getting contacted by a hacker claiming to have some of the hospital's data. If this happened in the cloud, hospital may want to do its own forensics, but cloud company might not allow due to multi-tenancy issues.

Multiple IDs to avoid a national online identification database. Video of German "EID" card, to be rolled out in November 2010. Starts with in-person "proofing" (using govt issued documents), "U-Prove" technology by Microsoft. Shows a student "Erika" getting access to an online bookstore and leaving a comment "gutte Classe" (i.e. "good class") about one of her classes.

Patented crypto algorithms of "U-prove" will be released today, as well as preview code and APIs.

"The cloud has the potential to alter the balance of power between the individual and the state."

Starting with telephone (& wire taps), emails (stored records), over time, government gained more access to individual data.

RSA 2010 Keynotes - Cloud & Security Svcs

8AM keynote at RSA by Arthur Coviello, Jr., Executive Vice President of EMC and President of RSA, also joined by David Cullinane (eBay), Paul Maritz (VMware) 


Comments will appear in square brackets throughout the post. Refresh every few minutes to get updates.

[I feel like I'm in a movie theater, just no 3D glasses]

[Movie narrator: ]When we join forces, we are stronger, smarter, than alone, and that's why we come together each year.
[Now the go-go girls, dancing to "walk like an Egyptian"]

RSA Lifetime achievement award being presented to: Whit Diffie

Art Coviello, Jr., Executive Vice President of EMC and President of RSA:
"Because cloud computing represents a challenge as well as an opportunity, we have to be careful, we don't end up in hell."
Analogy between being blind and not being able to enjoy the benefits of the Guttenberg printing press. Then came Braille. In security, we have a similar opportunity to ensure that companies can reap the benefits of cloud computing.
CIO study 51% [only 51%??] sited security as the biggest concern about adoption of the cloud.
"People must everywhere be able to trust the cloud, even if they, literally and metaphorically, can't see it."
Focus on basics: People, Processes, & Technology
"Convergence of roles [due to cloud] will bring new challenges."

Video of Paul Maritz, CEO of VMware

Coviello describes four stages of going to the cloud:
1. Moving non-critical assets
2. Virtual enterprise
3. Enterprise develops internal clouds
4. Enterprise outsource their infrastructure... hybrid clouds

["GRC," "dashboard," and "compliance" used in the same sentence]

Discussion of co-tenancy issues, example of Coke vs Pepsi running VMs on same machine.

Goals for the cloud:
Gain visibility
Asses Security
Establish Trust
Prove Compliance

Video of David Cullinane, CISO of eBay

Coviello: "The cloud will turn the way we deliver security inside out."

Consider the evolution of currency systems
Barter -> Coins -> Paper currency -> Credit Cards & bonds/stocks

"Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet."

Excellence in the field of Security Practices award goes to: Malcolm Harkins (Intel)

QOTD on People vs Security

There's no virus protection for stupid. -- Rodney Joffe, senior technologist at Neustar & director of the Conficker Working Group
Src: Trojans produced by criminal gangs are on the warpath - SC Magazine UK

QOTD - Spaf on InfoSec R&D Funding

Security is an ongoing effort against those who make continuing attacks against us, in a domain where innovation and change have been accelerating. We cannot hope to succeed if we take small steps, fail to provide continuous emphasis, and focus solely on finding cheap solutions to problems in 60-90 days; our adversaries are not acting this way, and we are already behind in several important areas.
[...]
It has been repeatedly noted in reports, testimony, and community gatherings that current cyber-security research is largely incremental. This evolutionary rather than revolutionary approach has prevented true leaps ahead in the technology. Thus, we continue to deal with legacy issues such as computer viruses and buffer overflows on a seemingly endless basis.
-- Dr. Eugene Spafford, Two Proposals on Cyber Security Research
Src: http://transfer.spaf.us/is-prop.pdf