Last Day for Source2008

Yesterday I unfortunately missed James Atkinson’s talk at Source Boston but evidently it scared a few people and pissed off a few others. I did manage to catch Carole Fennelly’s talk about Incident Response Plans which was very informative even for me. And of course people are still talking about Dan Geer’s keynote. Still great talks lined up for today, listening to Frank Reiger right now telling me how insecure all my cell phones are, scary. Oh, yeah, I have a little talk scheduled later as well, at least thats what their telling me, after last night’s pub crawl I’m not sure I remember right now.

Videos of the talks are said to be available at Media Archives at some point real soon now. If you missed the con be sure to pick up a couple of these.

P.S. If you ever get to sit down with James Atkinson ask him to empty his pockets onto the table. Trust me you won’t be at a loss for conversation.
 



Smart People

Sometimes I wonder if people who are revered in their field are really all that smart. I am pretty sure that some people have achieved their positions not because they know their subject matter but because they are just charismatic people who are adept at politics and manipulation. However, as I sit here listening to Dan Geer at Source Boston talking about the dangers of a computing mono culture and the coming digital pearl harbor I realize that yes, some people really are that smart. Dan has said that his remarks will be available after his talk. I can’t wait to examine his words more closely.


This is one of the best cons I have been at in a long time. Just the right mix of serious technical talks, socialization and of course a little alcohol. Looking forward to talks today about the tug of war between business and security, Critical Infrastructure Protection, Study on Security Training Programs, and of course Developing an Incidence Response plan.


I’m pretty sure day passes are still available.
 



Source Boston 2008 Going on NOW!


SourceBoston 2008 Going on now and for the next two days. If your anywhere near Cambridge MA you should head over. The shear number of smart security people in this hotel is mind boggeling. Seriously, you can’t turn around without seeing someone else who is a major industry luminary.
Already listened to talks by Tito Jackson (no, not that Tito), he’s the Director of IT from state of MA. He basically said that Mass is great and that jobs are growing and all hail Gov. Deval! Woohoo! I kid, but it was some interesting opening remarks and good to hear that things may not be all doom and gloom as the economy suggests.
The official keynote was given by Richard Clarke the former head anti-cyber terrorism dude at the White House he runs a consulting company now, oh, and he has a book or two out. He asked a very interesting question about wether the government should disclose software vulnerabilities that it discovers or should it keep them for use in the next ‘cyber war’? IMO my tax dollars paid for it so yeah, I should get a copy!
Then Matt Moynahan from from Veracode spoke about how hard it is to quantify the security in software. A subject I have wrote here many times. Lots of good points, companys don’t want to give up their IP, there are no uniform standards, etc… Of course his company (andcformer L0pht peeps company) Veracode has the answer but it seems like a pretty good answer to me.

Oh, and I set up a Twitter account. Not sure if I will use it after the con but there it is.
 



More secure products that aren’t

Think that cool USB thumb drive you just bought with the word of ‘encryption’ written in big letters all over the package is really secure? Think again. ComputerWorld recently reviewed seven ‘secure’ USB drives and basically found that they are all crap. Either they have no security or all or they use AES in ECB mode (which is worthless) or they claim their security is ‘proprietary’ (i.e. snake oil).

Once again I have to ask how is the end user consumer supposed to know this? Why do we (consumers) have to wait for some third party to review a product before we know that the product will not do as it claims? When I go to the hardware store and buy a lamp I know it has been tested and meets certain requirements. I know that it won’t catch fire and burn down my house. Why can’t I have those same assurances when I buy a security product? I should be able to look at the product packaging and see that the product meets some sort of security standard or has been tested by some agency and meets certain criteria. If it can be done for electric pencil sharpeners it can be done for ‘secure’ USB thumb drives.
 



Tamper Resistant Point of Sale Machine Isn’t

When I see something labeled tamper-resistant or even tamper-proof I don’t assume it is secure I just think that it is a little more difficult to break into than something that isn’t tamper-resistant. Three researchers at the University of Cambridge have figured out that PIN entry keypads used for Chip+Pin transactions in the UK are anything but tamper-resistant. They have published a paper to show just how easy it is to break them open and record customer data as they swipe their cards and enter their pin numbers. I applaud their effort but all they had to do was look at what happened to Stop & Shop Supermarkets a few short months ago.

Here is some advice which you can use, at least here in the US, don’t trust those card swipe and pin entry machines at the checkout counter. Most Debit cards from US banks will also work as a VISA or MasterCard. If your at WalMart and you whip out the ATM card and the machine asks you for your PIN, hit cancel. If the checkout lady at the supermarket asks “Debit or Credit” always, always say credit. If that little machine at the checkout stand is secretly recording your card number at least you won’t also be giving it your PIN and complete access to your checking account. While this won’t stop fraud it will make the bad guys work a little harder. Hard enough perhaps that they skip your card and go to the next one. Not to mention that VISA and MasterCard probably offer a bit more fraud protection than your local bank.
 



Less Than Two Weeks to Source2008

So I was having lunch with one of the organizers of the Source Boston 2008 conference yesterday (Spicy Beef Bowl, mmmmm) and realized that this is going to be one really great conference. Not only are there big name speakers like Richard Clarke, Steven Levy and Dan Geer there are some well respected security industry luminaries as well like Carole Fennelly, Frank Rieger, James Atkinson and a host of others. But I think the big thing that will set this conference apart from the big ones like BlackHat or RSA, (besides that the fact that it is within driving distance for me) is the size. There won’t be tens of thousands of people in attendance meaning you will probably be able to get a lot of one on one time with some of the smartest security minds in the country. If your in the Boston area at all you should probably stop by for a day or two or even all three.

Oh, and the L0pht renion panel is scheduled for Friday, the day after the Pub Crawl, which ought to be interesting.

 



AES = XOR = Secure? WTF!?!

I don’t have time for all of the stupidity out there but this is just to stupid to let pass by. Easy Nova a German company that makes a variety of computer storage accessories, recently released a hard drive case with hardware data encryption with 128-bit AES and access control via an RFID chip. Which on the surface sounds really really cool. Portable secure data, what more could you ask for? As it turns out you still need to ask for it to be secure because according to Heise Online and c’t Magazine that despite the claims of AES hardware encryption the product actually uses XOR encryption to write your data! Evidently the AES is only used to encrypt the RFID signal between the drive and the key fob. AES for the RFID chip but XOR for the data? I mean WTF! How about some truth in labeling. I suppose we should be happy they didn’t use double XOR.

This is yet another example of a security product that isn’t secure. How is the consumer supposed to know? Not everyone has diagnostic labs and forensic tools at the their disposal to test each and every product they buy for security. I’ve mentioned the formation of a Cyber UL before and clearly it is sorely needed.

 



Responsible disclosure for vendors?

If a vendor finds a vulnerability in a competitors code are they obligated to tell them? What exactly is ethical and or responsible disclosure when it comes to competing vendors? Among security researchers the general consensus these days is to notify the vendor and then wait a reasonable amount time for a patch to be developed before going public. While this scenario is for the most part agreed upon and followed it is by no means a perfect solution. Now through in competing vendors and it gets even stickier.
Recently the Mozilla group was notified of an exploit in their code which they dutifully fixed. In the process they evidently realized that the same hole effected the Opera browser. Like good net citizens they notified Opera of the hole but did not wait around for Opera to fix it.
So is Opera justified in being a little miffed at Mozilla for not waiting for a fix or should they be happy that they got notified at all? Should vendors be held to the same ethical standards as researchers when it comes to vulnerability disclosure even if it is with a competitors product? Why have we had this same problem for decades without some sort of solution?
 



Most Security is Useless

Looks like I missed this the first time around but there is an article about a speech recently given by Peter Tippet, a VP at Verizon and a scientist at ICSA labs, who talks about how useless most security actually is. Most of his points are ones that I have been making for years like the uselessness of long complex passwords, all your doing is inconveniencing the user. Or how ineffective the continuous search for, reacting to, and patching of new software holes really is when you consider that only a small percentage of those holes are ever exploited. Do you want the highest rate of return on your security dollar? Spend it on the weakest link, the people. Security awareness training, while hard to quantify, will provide the biggest return in terms of security. If you can train your users to think about security as part of their everyday work lives your overall level of security will increase dramatically.

 



Uncle Sam Needs You (Geek!)

Thats right the US Air Force is looking for a few good geeks. And evidently they are willing to relax a few of the requirements of military service to get them. According to this quote in Wired Major General William Lord of the US air Force’s Cyber Command said “So if they can’t run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in.”

As a former Sergent in the US Army (7th ID (light)) I am pretty shocked at this statement. Military physical fitness standards are not that hard to achieve or maintain (especially in the Air Force). PT speaks to the very core of what it means to be a part of the military. When the Air Force needs pilots they don’t reduce or eliminate requirements they offer cash bonuses for reenlistment. So what happens when there is a shortage of cooks? or mechanics? Will we end up with a military that is to damn fat to get out of its own way? I don’t care what your job is, cyber warrior or not, if you’ve made the commitment to serve your country then you can make a commitment to pass a damn PT test.