Thursday, February 26, 2009

About Sao Paulo

This is a security blog, and I rarely go off-topic here, as I maintain an "other stuff blog" too. However, I wrote the stuff below to someone who is in Sao Paulo (Brazil, for those who failed in Geography and are not aware of an almost 20 million people city in South America) and asked about what to do in the city. As this is the "English" blog I think it may be more useful to this audience that the audience of the other blog, so, here it is.[About the fences and electrified wires around fancy houses] You see, when you start to think that all those fences, armed guards and armored cars are something normal, you're definitely not in the right place! Not only that, but you'll notice that's too much traffic, too much noise and too much dirty. Having said that, I don't know a better place in the world to eat!Sao Paulo has three areas that can be compared to Toronto Bay Street. There is the "old" one, Avenida Paulista, that is maybe the most known landscape of the city. But most of the big companies now are in two new areas close to the Pinheiros river, Avenida Faria Lima (the "fancy part of the city") and Avenida Berrini (mostly technology companies, Microsoft, HP, etc). There is a new cable sustained bridge ("ponte estaiada") at this region that is the newest landmark of the city.I really love the Ibirapuera park, I used to live very close. It's a nice place to walk around in a Saturday morning. Avoid the Sunday as it's usually too crowded. I miss early morning running there.I like the old city centre. There are some (not very well maintained) nice old buildings, like the old city theatre. There is the place were the city was founded, a small jesuit church, the Vale do Anhangabau place (nice, but not very clean too) and the Sao Bento church (Gothic style, I really like this one).As I said, SP is the food paradise for me. You should try the pizza, I don't know a better one. Some places to go:- Mercado Municipal - The equivalent of St. Lawrence market. Try the Mortadela sandwich.- Pizza - "Quintal do Braz" or just "Braz" - Quintal do Braz is a very fancy pizza restaurant, don't try it on Sundays, the waiting line is above an hour.- Italian food - Sao Paulo received lots of Italian immigrants on the 19th century. I think SP Italian food is better than Italy, but you need to go to the smaller restaurants. I suggest:- Café Toscano - Av. Moema, 444 - Moema neighbourhood (good call after a walk in Ibirapuera park)- La Trattoria - Rua. Antonio Bicudo, 50 - Pinheiros neighbourhood (after lunch there you can stop on Vila Madalena bars, nice place for "people watching")- Innominato Osteria - Rua Joinville, 861 - Vila Mariana neighbourhood (I used to have dinner there on Fridays, I lived two blocks away there)- Barbecue (Churrasco): Has anybody introduced you to Brazilian churrascarias? You will find the best there! For the best, go to "Fogo de Chão" (expensive - around 50 dollars). There are others that are almost as good as that, like "Montana Grill" (Av. Juscelino Kubitschek, 817), that are not as expensive. That can be considered "Brazilian food".- Feijoada (black beans): The most famous Brazilian food, you can find in lots of restaurants for Saturday lunch. There's a place close to where I used to live (Vila Mariana) that has a very good feijoada, some old school SP samba (called "chorinho", ten thousand times better than current samba music) and very good "chopp" (draft beer). Only on Saturday lunch time, the place is called Genuino (Rua. Joaquim Tavora, 1217).There is also "Terraço Itália". It's something like 360 at the CN Tower, as it is on the top of one of the highest buildings in the city, and right on the city centre. I like it as it gives you a very good perspective of the size of the city.I wouldn't be a real paulista (people from SP) without suggesting you to go to some of the Shopping malls :-) People from Rio say that malls are the paulista's beaches. The most famous one is the "Iguatemi Shopping", but I also like the "Morumbi Shopping" (good restaurants in the lower floor) and there is a new one that I don't know yet that seems to be quite fancy, "Shopping Cidade Jardim".Well, probably enough for a whole month. Enjoy!

Beware of super Neutronic Analysis

I'm always delighted to read new "doghouse" cases from Bruce Schneier. This one is unbeliveable. I don't know if I'm reading a product description or a Star Trek episode script:"Each of these instances of the prime number based RSA algorithm can now be deciphered using Neutronic analysis. Unlike RSA, Neutronic Encryption is not based on two large prime numbers but rather on the Neutronic forces that govern the distribution of the primes themselves. The encryption that results from Singularic's Neutronic public-key algorithm is theoretically impossible to break."You can find more directly from the source here.

Extrusion control

Rothman pointed to a nice discussion on how to prevent the extrusion (borrowing the term from Bejtlich) of stolen data in cases like Heartland, where credit card data was sent to Russia over clear text connections. Rothman post references a nice post from Richard Mogull on the subject.Well, I'm an old advocate of analyzing outbound traffic to detect suspect behaviour. Mogull mentions DLP tools and Rothman reminds us about netflow.They are all valid options and they are quite right on their opinions. I just want to add some thoughts on how to deploy those technologies in a way that they can really do the job. By mentioning specific technologies we may reinforce the perception that tools can solve the problem. Again, that's not about the tools. This is about monitoring. You should have something (i.e. a process) in place to monitor your outbound traffic and also an understanding of what should be flowing from and to each part of your network. If we think about Heartland, hey, there was a communication from cardholder data environment (PCI lingo) to a highly suspect network location (sorry Russia), should it really be allowed? If yes, wasn't it something so different from standard flows that would be easily spotted by a anomaly detection system?(by the way, cardholder data is a very good example of a case where honeytokens can be deployed.)Organizations should start thinking more seriously about security monitoring. Today it is basically done with IDSes, Antimalware (AV, etc) and basic event correlation rules (basic = almost stupid), things that will trigger an alert if something bad is spotted. They should also invest on having people looking at uncommon stuff, like unusual destinations, protocols and traffic volumes. You can easily detect (and block) some bad stuff by the old methods, but you need to go forward if you want to detect more dangerous stuff, elaborated and targeted attacks.Good places to start thinking about how to do that: Argus, Netwitness, Arbor, Richard Bejtlich books and blog. Maybe it's time to have some "Network security monitoring analysts" working and producing network security intelligence.

Friday, February 20, 2009

He is right again, the cloud is not more secure

Hoff wrote a nice post about some noise being generated about "The Cloud" being more secure than running things at home. He briefly pointed to one reason, the cloud is not just SaaS. Remember there are several different offers from different layers (from applications to virtualized OS environments) considered as "The Cloud", so you'll have to "fill the security blank" when buying those lower layer services. If you are running your application, written by your developers, using some of your middleware components, on the cloud,  you still need to deal with the security aspects of them, as your provider is taking care of the layers he is responsible for only. So, if there isn't a SaaS offering that exactly matches your application needs, you'll still need to worry about secure development if you decide to build it yourself or about patch management, secure configuration and all the other fun stuff if you buy it off-the-shelf and run it in the cloud. Same problems here.Even when you are relying mostly on SaaS, it may have a impact on your security posture. If you are a small or medium enterprise, for example, you will automatically get your threat level increased (and a lot) by using things like Salesforce. All that attention that you would not drawn by your organization business will be drawn by your fellow cloud neighbours. The question is (and I always come back to risk assessment methodologies!), how can we measure these things to compare the risk of those two options?  Where (and how) can we get reliable and compatible data on threat level and exposure?

Wednesday, February 18, 2009

"Independent" articles

Don't you hate when you are reading what should be an independent article and suddenly the author starts to describe a solution to a problem with a list of stuff that "happens to be" just like the features of his company's product? The guy is writing about processes and suddenly you find stuff like "a product that integrates with Active Directory". Ugh!

Wednesday, February 11, 2009

Security videos

Today I want to mention the security videos made by Stiennon and company. They shot these four nice pieces below:

Data Leak Prevention

Firewalls & IPS


Messaging SecurityI'm extremely late on this and I also believe that most of the readers of this blog also follow the blogs of the participants, but as they are veyr valuable for those that are working with those technologies I thought it would be nice to post the links to them here too. Enjoy!

Still on "security as a cost"

Lawrence Pingree, from McAffee, was kind to comment my post about his post on McAffee's  blog on "security not being a cost". Well, I must say that what he expressed on that comment didn't change my mind at all.

As he said, security can be an enabler. I understand this statement as saying that it allows us to do something under an acceptable risk level. We could still do the same things without security and get the same savings (like using Internet connections instead of dedicated circuits). The difference is that most people won't do that without mitigating the risks. However, in order to do that, there is a cost. That's security. You can keep a single person submitting a transaction, that will certainly be the lowest possible cost. But, in order to reduce the risk from that person abusing the system, you add an approver. That's a cost. The action is still the same (the transaction), but now it happens under a reduced risk and with a higher cost.

That being said, it doesn't mean that's something bad! There are lots of things that are costs, like insurance, fire extinguishers or employee health insurance. It's not bad to expend that money, but you always try to find how to get the better results expending less money. If you go this way on the budget discussions, you will be following the safe way.


Friday, February 6, 2009

Unsecured economies report

I was glad to be one of the contributors of the "unsecured economies report", sponsored by McAfee. It's certainly a very good report and it's nice to see my name in the same list as Ross Anderson and Gene Spafford.However, McAfee is saying since the Economic Forum in Davos that the losses due to loss of intellectual property, such as trade secrets, to be one $1 trillion or more annually. Just as Peter Lindstrom mentioned, I could not find any data in that report that could lead into that number! Lindstrom did a pretty nice job on showing exactly what 1 trillion means. I'd like to see how they found this number.

Security: cost center

Mike Rothman made me LOL very very hard today with this post about McAfee's attempt to say that compliance is not a cost center. Mike is completely right in saying that many had tried to do that and it didn't work. Mostly because yes, it is essentially cost. Most of the demonstrations of security as a revenue center are artificially created by getting the benefits from other stuff and justifying it as security benefits because security allows them to materialize. It happens all the time with VPNs. That's not the VPN that saves money from network connections, it is the Internet! VPNs just make the risk from using the Internet for sensitive communication acceptable.What impressed me most on McAfee's post was this particular point:"Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization"Wow, that was brutal! Security directly and negatively impacts productivity, that's a fact that we can't run away from. That's what makes this job so interesting, trying to make that impact as small as possible. We can't, however, deny that it is there. As Mike cleverly said, wrong way. That's that famous ROSI (ugh!) discussion.


Today I went to the CFI-CIRT Professional Development Day, organizad by the Canadian Financial Institutions to provide content to their employees. It was awesome as it brought several good speakers to a single day conference, concentrating a lot of good content. I had the opportunity to hear Marcus Ranum, Dan Geer and Stephen Northcutt, something that is highly unusual for a single event.Kudos for the organization and mostly to the FIs for sponsoring this kind of event. As some speakers said, it's not common to see this level of colaboration among competitors. I'm really glad that I'm working for one of these companies.