Monday, March 31, 2008

Adobe on Linux - holes are cross platform

This has just been announced:"Adobe joins Linux Foundation, develops AIR for Linux"OK, now the vulnerabillities from Adobe that sinked Windows on the Pwn2Own contest will be available for Linux users too. Those contests will be more fair now :-)Now seriously, it's impressive how people don't realize the importance of Adobe software security. We tend to believe that Windows is everywhere, but Adobe software (mostly because of PDF and Flash) is everywhere + those places where Windows is not present.If I have to bet on what software will be the infection vector for the next big Worm/Virus, I would point to something from Adobe.Does your patch management system/process deal with Adobe software too?

Saturday, March 29, 2008

If it works for children...

I was reading slashdot news when I found this one, that mentions a study requested by UK first minister:"Usually, 'thinking of the children' is a starting point to impose limitations on video games and internet in general. For once, a study requested by UK's Prime Minister seems to be a bit more objective then most. In the Executive Summary 'Children and young people need to be empowered to keep themselves safe — this isn't just about a top-down approach. Children will be children — pushing boundaries and taking risks. At a public swimming pool we have gates, put up signs, have lifeguards and shallow ends, but we also teach children how to swim.' I think that is an important point that most studies miss, that just 'thinking of the children' and locking the bad stuff away is actually setting them up for failure later in life. A direct link to the full PDF is also available."This means a lot on information security too! If you need to empower children to keep them safe, we need to do that with "users" too, regarding online safety and information protection. That's a nice piece to use when justifying Security Awareness initiatives.

Friday, March 28, 2008

VMWare, the new "unbreakable"?

I was LOL after reading this, from The Register:"(CanSecWest) VMware researcher Oded Horovitz got an earful when he told a group of security buffs his company's virtualization software was theoretically impenetrable. Speaking at the CanSecWest conference in Vancouver, his hour-long presentation, titled Virtually Secure, included a slide titled "VM Escape" that carried the following bullet point:"Though impossible by design, the hypervisor can still have implementation vulnerabilities."

It was more than some attendees could bear."And the Titanic was unsinkable," Mike Poor, a senior security analyst for IntelGuardians shot back. Other attendees complained that security increasingly looked like an afterthought as VMware continued to add new bells and whistles to its Workstation and ESX Server products - many from third party companies."I wonder if those people have learned anything from the infamous "unbreakable" campain from Oracle.

JJD on Mac

A few minutes after I posted about the Pwn2Own contest and its results (Mac Air Book compromised), JJD posted in his blog his point of view about Mac security. Well, even after reading his post I still keep with my point.I'm not saying that Windows is better than MacOS. This issue includes things beyond security. I'm thinking about buying a Mac even believing that Microsoft does a better job than Apple on protecting its users. I'm thinking about buying a Mac not because I'll have a more secure computer, but because it's better on usability and the BSD core makes it better to run tools that are developed on *nix/Linux systems. JJD, I think that's the main reason why security experts use Macs, not because it is more secure.There is an additional advantage about Mac for security experts. most of them know about hardening an Unix box, and a MacOS is exactly that, while Windows (Vista and XP) still tries to hide the best part of the show from us. So, people with the "do it yourself" mentality will probably look toward a Mac.My point on the previous post was to indicate that Microsoft, as a software vendor, is doing a better job on making its products more secure. I'm not the only one saying that.

Macs and the Pwn2Own contest

Well, I think the results of the first day of the Pwn2Own contest shows what most of us already knew. Microsoft is doing a much better job on  securing their software than Apple. What makes me sad is that because of its past and its image among geeks (like it its The Borg) Microsoft is not being taken so seriously as it should be by security professionals, giving space to companies like to rely only on the bad past of its competitor to avois improving its own products security. Almost all software companies have a lot of things to learn from MS Trustworthy Computing initiative. Ok, we can still discuss about  which product is better, but we need to make all other companies to take a look at what Microsoft has been doing about security and to learn from it.

Tuesday, March 25, 2008

Disruptive innovation and security, some thoughts

I was reading Hoff`s posts about disruptive innovation and remembering the concepts behind it. It is interesting to see these business theories being applied to Infosec. I read some of Hoff`s posts about the subject and after some thinking I found some interesting concepts on the subject.First, we can see disruptive innovations as "sharp" angles in a market (field?) trajectory. So, a market evolution trajectory would be something like:
It's not big news that we haven't seen many disruptive innovation on the security field. However, we have lots of very smart people working on it. Why all these people can't produce disruptive innovations?I believe that the reason why we are not seeing security disruptive innovations is because the security market trajectory is not completely independent. Security products or concepts are not created from nothing, but to address a need produced by business trajectories. So, if we look at how companies do business as a trajectory we would find security pursuing the direction changes from that curve:
As we can see, the security line tries to follow the business line whenever the trajectory from it changes. The security line tends to change in more subtle moves, because the security professionals need to understand the business changes, what implications they have and then change their concepts and products to cope with them. However, sharp trajectory changes in the business line (disruptive innovations) can make the security line more distant from the business line. These are those situations where people believe that the security market is not giving the proper tools to support the business, what I called "Security Expectations gap". Those gaps would be smaller if disruptive security innovations were common, but the need to first identify a clear trend from the business line makes it harder to happen.

Wednesday, March 19, 2008

You need to think like this sometimes

I love to see people analyzing basic aspects of "well known truths". On this nice piece Amrit analyses the endpoint protection "solution" in a cost/benefit way. It's very important for all of us to constantly do thinking exercises like that. Sometimes the obvious value of security solutions can be quickly turned into just myths by a rational analysis like his.I would love to see people doing the same for DLP and Identity Management solutions.

Thursday, March 13, 2008

ActiveX controls and security

David Goldsmith did a very nice review about the issues of ActiveX Controls on security. He made 5 points in his post, but this one is quite important:"They are rarely necessary.  The worst part is, ActiveX controls are often add-ons that no one really needed and wouldn’t miss if they disappeared.  A lot of times that I have seen them used, they were mostly there to make a UI feel more Win32 and less webby.  The risk to benefit ratio has rarely been worth it." He is pretty right about it. I wonder if we are not following the same dark path with Adobe AIR and Microsoft Silverlight.

Insider threat in a Auditors Conference

After the case of the French bank Société Générale, the insider threar is again a hot subject on the field. It was always one of my main interests and the subject of my Master thesis.This  article from Network Computing mentions  the need to work together with HR and putting more emphasis on the human problem. There is no silver bullet technical solution. I like to advocate the need for better monitoring, from social behavior to application usage and network behavior.Adding controls to the internal systems is usually a problem to the productivity of the organization. Because of that, it's important to work on the detection side. I believe that working with SIEM tools integrate the different sources of information AND putting together intelligence from the human perspective is the better way to work. I know about companies that are working with SIEMs with application and infrastructure data, and when there is a reason to suspect from any employee they lower the thresholds to that person. This concept can be expanded to groups of people (departments at risk of lay-offs), geographical locations and others.I made a presentation about it during the You Shot The Sheriff conference last year. I hope I can find time to translate it into English to improve it and submit to other conferences, it's a hot subject now and a good speak opportunity.

Outlook vulnerability

It has been a long time since a vulnerability on Microsoft Outlook was disclosed. This time MS08-015 is one of those that facilitates the spreading of malware, as it makes easier to run unathorized code. Some people learn that they can click on the links but they can't click on "yes" when being asked if an application can be executed. This vulnerability can take them off guard.I would expect to see on those nice reports that Microsoft produces periodically how the Vista users will be impacted by this versus XP users. Everybody is talking about the bad side of the UAC features, but I'm still waiting to see good news about its results on malware activity. Hope to see something about it soon.

Friday, March 7, 2008

Cisco patch cycle

Cisco has announced its regular patch cycle, just like Microsoft. There is just a "small" difference between each company's process: Cisco is planning to release patches only twice an year.

What these people need to understand is that vulnerability management is not exactly like change management. Some people believe that long change cycles are a good sign of mature change management. Ok, it may be, but for vulnerabilities the problem is quite different. While you can have a good perception of the probability of a common error has to cause you problems, it's almost impossible to have the same number about a vulnerability. Not only that you can't have this number, it's also not under your control! That makes vulnerability patching a different kind of change, that needs to be released as soon as possible.

I'm curious about the motives behind this 6 months time; is it because the testing process for cisco products is more complex or they are just less competent than the others on producing patches?

Tuesday, March 4, 2008

Vendor tales

Weird things said by security vendors are usually one of my favorite subjects. When I was a CISO one of my favorite sports was to destroy vendor arguments during their presentations. OK, I know it's a bit cruel, but I would only do that when the vendor started using phrases like "our product, that is the market leader..." or "our product has perfect security by military level encryption".I was reading Shimel's blog today and found one of those cases where the vendor dies by his words. It's quite funny to see that someone is using as his selling pitch that his product is more secure because it relies on SNMP, "Secure Network Management Protocol" (UGH!). But what impresses me most when I find a case like that is that if they are using that speech it's probably because it's working somewhere! Yes, actually, people are probably buying their product because it uses SNMP instead of 802.1X!Some of my friends believe I'm too cynical to believe that the average security manager is almost (or even a complete) an idiot. Well, I think that those vendors are the living proof of that. If their speech can convince someone, that "someone" should really not be working in a security management position.

Saturday, March 1, 2008

Security blogs

I'm very happy that this year I'll be able to attend to RSA Conference. Not only because of the first class content, but specially because of the Security Bloggers Meet-up that will happen there. I spend a lot of time every day reading the blogs from the people I'll meet there.There is some interesting aspects on being a security professional in Brazil. There are not many security bloggers here, and most of them are just translating news to portuguese. It's a shame that we still don't have many places to find original content. There is an additional problem on blogging in portuguese, your readers are just a few and those with enough knowledge and skills are even less. I'm not saying that local professionals are bad, the problem is that the size of the market here is too small to generate a good number of "above the average" professionals. That's why I (and some others) decided to write in english, to try to reach those very good guys out there and receive their feedback and comments.This option brought some very nice results. I started to have conversations with people that would be seen to many here as those "unreachable" famous professionals. I have very good feedback from Brazilians about my postings, but I was curious if I could produce interesting content to an international audience. Until now, the results have been quite good. That makes me even more confident about my personal project to live (and work) abroad.So, I'm eager to meet all those bloggers at RSA. It would be nice to discover that some of them are even reading my thoughts :-)