OK, so a quick shameless plug for me and a couple of good friends at EL: I had the pleasure of throwing it all out with the ExoticLiability crew over the weekend, which ended up in a pretty cool podcast. Check it out at www.exoticliability.com (episode 51).
May not be completely safe for listening to at work (especially not with speakers…).
On that note (of shameless plugs) and as we noted on the podcast, if any of you know (or are) potential sponsors for BSides, and ExcaliburCon (especially if you have or want exposure in the Chinese market) feel free to contact us – g0d be my witness it’s not really expensive to sponsor, but critical as these shows are not cheap…
Closing up for now (until later this week probably – expect some new material), just a heads up on the upcoming speaking engagements:
Aha! Can’t believe I managed to avoid the unbelievable hype flood that swept across the interwebs in the last month. And to think that the last post (long overdue, I know… had REALLY good reasons for not being able to post anything) was somewhat oracleish in predicting that this would be the focus of this year.
Just to set the stage right – we are at a point where I just saw a USA Today “Money” section front page article on how Google’s engagement with the NSA post the breach will affect the security vendor market, and a few VCs were also quoted to the fact that we will be seeing IPOs this year that will ride this trend.
Overhyped – definitely. Real – just as it’s overhyped. You must be asking then what to do? If the hype is too much, then there must not be so much behind these scary global cyberwar threats! Not exactly – the threat exists, and countries do deal with making sure they have an edge over everyone else (see how I didn’t use adversaries… hint, hint 😉 ), but at the same time this has been happening for years now.
The news here is somewhat lukewarm when compared to the hype. The news is that it is becoming common knowledge that companies tend to miserably fail when keeping their own intellectual and informational assets under wraps. The news is that even the “do no evil” Google(tm) have their own share of problem using old(tm) (or should I say pathetically insecure?) software inside the Googleplex.
But let’s dig a little deeper past the hype – have anyone heard of the fourty-something other “big” companies that were affected? have anyone heard of the thousands of companies that deal with data of sensitive nature (whether they know it or not) that also have a big job ahead of them dodging the flak from their local government trying to make sure the exposure is somewhat lessened? Probably not.
I’ve have the questionable pleasure of assisting some of these entities – which have anywhere between loose and close ties to local and federal government (either providing data at will, or being relied on for compiling national threat level information at varying level of the threat modeling). Without getting into any specific details I can truly say that I was simply disappointed. A lot of good people trying to do good things, but ev
entually (as always) a big fat failure due to some sideline error brings the whole security architecture down. Things as easy as applying service packs, eliminating use of old un-pached software (IE6 – are you still here? I think I to
ld you to get out and never come back again!) and just plain good-ole’ malpractice.
Without sounding too dreary (I’m sure the horrible weekend east-coast weather is doing that to me) we still have our work cut out for us. As long as people (non-security-industry ones) are ignorant regarding the implications of their actions in an all-connected world (nice evasion of “cyberworld”!), holes will be cut open in any modern security design – no matter how well it was thought to be, or how much money was thrown into it. With almost zero-cost, we managed to implement an “idiot-proof” system that would just stop these things from happening for one of the companies…
What can you do? remember how we were taught to plan for the worst – count people in that too. Your people. They may be the smartest guys in accounting, or marketing, or production, but in terms of information assurance they can be your worst enemy (no offense guys, but it’s just like that…).
I’ll spare you the “2009 security in review” which you can read just about anywhere else you go now. I’ll also avoid the “what to expect in security in 2010” because everyone would just reiterate the same stuff they saw coming to life in 2009…
What I would do is give a quick preview on some areas of interest which I’m focusing on now – as you know, CyberCrime has been a big thing in terms of a research topic for me during the last few years. As expected, the simple technical stuff has been less of a focus (predictable, not so innovative), and the behind the scenes of how this whole thing works as a business and an industry have been the areas of innovation and true new insights on my part. As the research I conducted and managed chugged through, the many evidence that came to view also contained additional “leads” into areas that I have not explored firsthand before. That’s exactly what I’m knee-deep in now…
There have been rumors (some of them sprinkled by yours truly in my latest talks worldwide) of links between CyberCrime and nation endorsed CyberWar. In an attempt (which would hopefully not completely fail 😉 ) to make some sense out of the materials gathered and the links mapped thus far, I’ll have something ready pretty soon for peer review (if I nagged you than now you know why…), and a more public presentation of the material (again – hopefully at some of the security conferences of 2010).
So, just about making it to the first post of 2010 here, have a great year, and… stay safe out there 🙂
From the “We should have trademarked this” department: McAfee came out with their “Mapping the Mal Web“[PDF] report and are proving that innovation is best left for the smaller players to meddle with, only to be used later by the big guys.
Not that there is anything revolutionary about the report – it’s the same basic “look at what we could figure out from our logs” type, loaded with graphs and tables (as opposed to forward looking research, or one that dares to predict or create a disruptive technological/behavioral change). But the mere use of “MalWeb” is funny since I clearly remember starting to use it in an internal meeting some years ago back when we used to issue reports ourselves…
In any case – use this “with caution” (just as you would use last years financial news to base your investments on), or better yet – just use the graphs and maps to scare potential customers 🙂 Hope that the nest report would have a somewhat beefed up sections discussing “what to look for” (a mere single paragraph here), and more discussions on the thinking of how domain names are picked by eCrime operators to reach their target audience.
I just ran across this great blog post from Lori MacVittie at Web2.0 Journal. Can’t say exactly why it sparked my interest, but after reading it I realized this may be Freudian… The proposed Anonymous Human Authentication (AHA – great acronym Lori!) proposed in it closely resembles a technology we worked on back in the days of BeeFence.
I’m not putting any links to BeeFence since it was a startup I had the honor to be one of the founders of (which obviously went down the road of many other startups…), but the neat thing about it was the technology (did I mention I was the CTO 😉 ). Basically – we had what we called “Active Validation” (or sometimes “Interrogation”) of sessions. We generalized it a bit more to cover additional protocols rather than just focus on Web2.0 (think what it can do to the NIDS/IPS world…).
Makes me think of getting back on the startup bandwagon, although I’d have to make some sense out of the drawer-full of ideas I’ve been filling over the past few years having been engaged in web security and cloud security recently… you never know 🙂