Tuesday, December 22, 2009

Post-Blog Report: 26 Short Topics about Security

Aloha and welcome to the post-blog report.  Over the last 5 months, I’ve been writing a blog series called, 26 Short Topics about Security and wanted to share some observations.  First, I went about this since there are so many IT challenges when it comes to security and it’s virtually impossible to cover them all.  Plus, I’m always looking for interesting stats and stories pertaining to security and thought I’d gather them up in one place.  It’s sort of a 2009 ‘Security Greatest Hits’ (or Misses, if you’re a Devo fan).

If you are a blogger and sometimes have difficulty producing a consistent stream of valuable conversations, a blog series will do the trick.  You’re not alone since Perseus reports that 66.0% of surveyed blogs had not been updated in two months, "representing 2.72 million blogs that have been either permanently or temporarily abandoned.”  I had a daily urge to continue my quest and keep the flow going rather than jumping on ‘whatever the topic/crisis of the day’ was and writing about that.  Interestingly, the timing of many of the topics coincided with a recent event, so it worked out well.  Specific keywords in the titles, like Firewall, Virtualization, Twitter or any other term that’s hot (frequently searched) drew the most readers even if the title was a little ‘out there.’  And like any writer, I was a little surprised by the entries that got the most attention.  You know the routine, you think something is fantastic but nobody cares and the ones you feel are a little weak get massive reads.  Go figure.

The other thing I tried during this series is to both include a ton of links (Don MacVittie called it a link-fest) to referring stories along with links to the previous stories in the series for easy perusal.  When one got read, so did multiple others which positively influenced Pages per Visit and Average Time on Site – key metrics for any website.  Finally, I’m thinking about recording the blogs to offer an audio version (à la Audio Whitepapers) of the series.

Now to put a bow on this – All 26 Short Topics about Security:
  1. 26 Short Topics about Security: Stats, Stories and Suggestions
  2. BREACH is the Word, is the Word, is the Word that you Heard….
  3. Remember when we drew big Clouds on whiteboards…
  4. Decade old Data Centers
  5. The Encryption Dance (plus the A Cappella version)
  6. Yelling ‘WebApp Firewall’ in a Crowded Data Center
  7. Be Our Guest
  8. Hacks, Hackers, Hacking
  9. Dumpster Diving vs. The Bit Bucket
  10. The Threat Behind the Firewall
  11. Keys to the Kingdom
  12. Brought to you by the Letter L and the Number 7
  13. Reduce your Risk
  14. Our H1N1 Preparedness Plan (actually counted as 13.5)
  15. Can my PAN ride the LAN out the WAN?
  16. F5’s BIG-IP system with Oracle Access Manager
  17. This time, it’s Personal
  18. Don’t say a Word
  19. Will you Comply or just Check the Box?
  20. Social Media – Friend or Foe
  21. IPv6 and the End of the World
  22. You’ve Taken That Out of Context
  23. Virtualization is Real
  24. Windows Shopping
  25. X marks the Games
  26. It all comes down to YOU - The User
  27. Catch some Zzzzzzzzzzzzz
Bonus blog: Bit.ly, Twitter, Security & You
Bookmark and Share
Digg This

Wednesday, December 16, 2009

Catch some Zzzzzzzzzzzzz

It used to be the ‘stuck to our side’ pagers that go off at 3am telling you that a server crashed that would keep you up at night.  You’d drag yourself out of bed (or the chair at the data center that you fell asleep in), tippy-toe to the computer in hopes of gaining remote access or wonder to the car, still in your PJs, to drive to the facility.  In February 2009, InformationWeek & Dark Reading conducted a survey entitled, ‘What Keeps Infosec Pros Awake at Night.’  They asked more than 400 IT pros, among other things, what are their most serious threats, how are they prioritizing their defense of these and what are they going to do to keep their data safe in 2009 and beyond.  At the time, 52% said they were concerned about Internal threats – either employees or partners, accidental or malicious.  This makes sense since there were several articles in early 2009 which looked at Laid-off workers turning to Cybercrime.  They also feared the loss/theft of a laptop/potable storage device which might contain sensitive information that can lead to a corporate security breach.  Their biggest wish was for end users to be smarter about security and understand the risks.  Automated technology allowing IT pros to focus on emerging threats rather than day-to-day firefighting came in 2nd.  They just wanted to have the time to find ways to make their systems more secure, and compliance was driving it.

Recent data from Verizon’s addendum to its Data Breach Investigations Report actually shows that most (73%) data breaches come from External sources, not insiders.  Granted, the InformationWeek data was garnered from a survey (point in time opinion) and the Verizon info was generated by analyzing disclosed/investigated public data breaches (over time) and it doesn’t include undisclosed incidents with internal investigations.  Verizon concluded that breaches which warranted public disclosure were primarily done by external sources.  I’m sure that many internal incidents that didn't affect a large swath of the public were never disclosed, which could slightly sway the results but interesting nonetheless.  So the fear was Insider threats yet the actual data implicates outsiders.  I started wondering if this one of those Perception vs. Reality things or as Stephen Covey puts it, “We see the world, not as it is, but as we are.” 

In February 2009, when the economic crisis was in full swing, layoffs were a daily occurrence.  There were many documented cases in the early 1990’s of crime/fraud that occurred during that recession and many believed it would happen again – but this time with technology's help.  Stories started to appear indicating that this scenario might happen again and when the few that did happen were spotlighted (like the current trial of Terry Childs) - folks believed, or feared, that a new wave was coming.  The data that came out other end, seems to show that those internal threats were less than expected, except maybe in the financial industry.  The other side is that sometimes perception is more important than reality.  With the perceived immanent danger of rogue ex-employees, IT departments had a wake up call to reexamine how they handle access termination, a critical piece of data preservation.  In life and security, our view of the perceived risk is based on our past experiences/beliefs and that ultimately shapes our reality.  My reality and your reality might be very different but we always have the power in how we respond to events, even ones out of your control.  So as 2009 winds down and you get some needed rest (maybe), revel in the fact that this challenging year is almost over, you did the best (hopefully) you could and there will be a whole new set of threats, breaches, viruses, vulnerabilities, scams, malware and many other incidents that put security at risk as thieves typically work through the holidays.  Plan as best you can and take the new ones in stride as a challenge to all of us to get even better at protecting all our critical assets – including the living, breathing ones.

And there you have it – 26 Short Topics about Security.  Yea, we made it!  But wait, there’s more.  Stay tuned for the Post-blog Report where we look back at the series, pick some favorites and share what I’ve learned about putting together a chain of blogs over the course of 5 months covering a single topic.  Should be fun.


Technorati Tags: Pete Silva,F5,security,application security,network security,virus,

Monday, December 14, 2009

It all comes down to YOU - The User

One of my favorite Security writers, Bruce Schneier, had an interesting entry last week called Reacting to Security Vulnerabilities where he discusses the recent reports about the security flaw in the SSL protocol and how we as users should relax and essentially, ‘do nothing.’  “What?!? – Do nothing??”  Yup, and he has some good reasons why.  Usually, new exploits, threats, breaches and the typical security stuff that garners the headlines, makes security folks jump.  Jump to search the internet for anything related, jump to see if our systems are infected or vulnerable, jump to put an action plan in place to reduce the risk.  These are reactionary behaviors when gloom gets delivered and we fully don’t understand the risk.  I’m not saying ignore warnings or plan for the worst, but since several new ‘weaknesses’ seem to get published on a monthly basis, you do need to prioritize and put some context around it.

With anything in life, there are certain things we have control over and others we do not.  For many years now, we’ve been warned that it is risky to click on embedded links in a suspicious email or dangerous to click through the certificate warnings from your browser and hopefully many people have changed their behavior.  That’s within our control.  But when a researcher finds a specific vulnerability in a particular protocol, potentially affecting several vendors, there is really not much an individual user can do.  Sure, you or the IT department can check with their vendor to see if it applies to their product but would you immediately stop using something when it’s a critical part of your infrastructure.  Once again, which is usually the case for security, you must weigh the risks and determine if it’s within your control.  Bruce points out that many of the vulnerabilities affect systems that are out of our control and if your data is already out there, unplugging your computer will not lessen the potential exposure.

What you can do is simply stick to your general security practices (AV/FW, OS patch, Auto updates, backups, common sense), which already protect you from a slew vulnerabilities but let the experts/vendors figure out the best way to handle new exposure(s) since they must deal with them on a daily basis.  If the risk is too great and your infrastructure is vulnerable, push your vendor for an answer.  Most vendors, especially with security products, are fairly reasonable and typically move fast when it comes to security holes – their reputation and revenue are at risk.  You can also report to CERT if you’re not getting a response but most vulnerability ‘finders’ alert the vendor fist and give them a chance to fix or respond to it.

Protecting yourself from the multitude of threats on the internet can be daunting, never ending, and always changing so you do need to be vigilant with the things you can control but as you peruse the Top 9 Beaches of 2009 or the Top 15 Most Common Attacks, you find there was/is little you could do to avoid them.

*For the record, F5 is listed on the US-CERT site as being potentially vulnerable but we have tested our products/versions and are not vulnerable to this issue.  F5 Networks has published a security advisory in the past to cover similar vulnerability and provide best practice recommendations. These best practice recommendations can be found at the F5 support site:

Tuesday, December 8, 2009

X marks the Games

Sony Playstation Celebrates Its 15th Anniversary, Happy 20th birthday, Game Boy, Happy 10th anniversary, Sega Dreamcast! and November Marks the Launch Anniversary of Many a Gaming Platform.  Gaming has come a long way since the Atari 2600 and the Fairchild Channel F when we would screw those little U connectors to the UHF/VHF thingy.  Then we got ColecoVision’s arcade quality games like Donkey Kong and the early Nintendo’s and Sega’s to today’s Sony PlayStation, Microsoft Xbox (there’s your 24th letter) and Nintendo Wii.  These days, not only can you hook you console up to your TV monitor, you can connect to the internet and play games online, even without a console.  While gaming threats & breaches don’t always make the splashy headlines like stolen credit cards and hacked financial applications, there is still plenty of things to worry about while you’re having fun.  Whether you’re a player or provider, the risks are out there and many (both technical & social) are no different than the exploits, malware and thieves we typically hear about from general online communities. 

Over the last couple years, a number online gaming sites experienced DDoS attacks that forced outages and tossed some sites offline and even Pirate Bay got hit with a DDoS attack when their users were not happy about the sale to Global Gaming Factory.  Even back in 2004, there were articles that covered the Security Issues of Online Gaming and a few of those mentioned still hold today.

For users, the risks loom since they spend a lot of time and money on these games and there are always crooks out there looking to exploit that.  There is also significant amount of social interaction with other players and many of the social media threats, like being tricked into exposing personal or financial information, are just a prevalent.  And it’s not just hidden criminals.  Full on media companies offering rewards, points or other game enhancements trick users into signing up for bogus offers and monthly subscriptions all while capturing their email address, credit card and other personal info.  This is quick money for game developers (and social sites, advertisers and others) even if it is done in an unscrupulous way.

Malware infection whether it be worms, viruses or bots are also a risk.  Most of us have learned that we should not click on an embedded email link for fear of computer infection.  But do you use the same technique when searching for a new/hidden game file or conversing with another player over IM?  They might have been part of your online ‘team’ for some time and you’ve exchanged tips.  Then they promote some cool new ‘add-on’ and send you an IM saying, ‘download this hidden gem – earn points faster!!’  Would you use the same caution as a phishing email or click away?  If the game required administrative rights for installation, would you grant it?  Would you allow all JavaScript and ActiveX to run, knowing the inherent browser risks?  Also, since you’re playing online, you have to be connected to a server somewhere.  Is that server vulnerable?  Has it been compromised?  If it has, then you too can be vulnerable – it’s really no different than other server exploits.  This applies to game operators also.  How are you protecting your infrastructure from malicious behavior?

This document (pdf) from US-CERT has a nice overview of avoiding online gaming risks, was an inspiration for this blog post and offers several protective measures….which look a lot like the general security good practices we hear on a daily basis:
• Use antivirus and antispyware programs.
• Be cautious about opening files attached to email messages or instant messages.
• Verify the authenticity and security of downloaded files and new software.
• Configure your web browsers securely.
• Use a firewall.
• Identify and back up your personal or financial data.
• Create and use strong passwords.
• Patch and update your application software.
Not to dampen any of your fun this year as many of us rip open new gaming consoles, connect them to the internet and start firing away, just use the same caution, suspicion and protection when you enter that fun zone.  Don’t let your guard down just because you’re having a great time – that holiday glee can morph into your winter of discontent with a single click.

Related resources:

Monday, December 7, 2009

Pearl Harbor, Punchbowl and my Grandparents

In honor of Pearl Harbor day, I want to take a quick break from 26 Short Topics to share a bit of history you might not know about.  This has nothing to do with technology, security or our awesome BIG-IP solutions but felt compelled to honor both my grandparents and service men/women everywhere today.  I am Hawaiian (1/8th, direct from Kekaulike line), was born there and most of my ancestors lived there while it was still a Monarchy.  My great(s) and present grandparents all were born and raised and some witnessed the destruction that day.  A shell had even landed in my grandmother’s backyard while they were at church!  Both my grandfathers played a significant role in the days and weeks following the bombing.  One of my grandfathers was a carpenter and lived in Pauoa Valley (O’ahu) which is situated right next to Punchbowl, National Cemetery of the Pacific.  While many equate Honolulu with Diamond Head (or Leahi – Brow of the Tuna – to Hawaiians), Punchbowl is also an old volcano crater that helped create the island.  When my grandfather was a kid they used to play there and he spoke of many fun times running around inside Punchbowl as a youngster.

When Pearl Harbor was hit, many locals were called (and wanted) to help, as you can imagine.  As my grandfather tells it, they needed a place to temporarily put those who had died and Punchbowl was both the closest (about 15 miles), had the space and was known as the ‘Hill of Sacrifice’ to the ancient Hawaiians so it had historical significance.  Being a carpenter and living less than a mile from Punchbowl, he was part of the team that built the wooden caskets for the fallen.  As the days went on and suitable re-locations were not available, they decided to start properly laying to rest those who had perished – right there at Punchbowl, including an uncle of mine.  The Pearl Harbor victims were among were the first to be buried there, 776 of them.  About 8 years later, they officially dedicated it as the National Memorial Cemetery of the Pacific – it’s the Arlington for the Pacific Fleet.  Those who have served in the Pacific Fleet actually have their choice of Virginia or Hawaii as their final resting place, as I understand.

My other grandfather, who happened to be a Hawaii Cop at the  time, was born in Yokohama (although not Japanese) and had learned Japanese while attending school there.  He moved to the Hawaiian Islands with his parents when he was still a teenager and grew up on the Big Island.  Since he understood Japanese, the US Government had him guard the Japanese consulate when the US declared war.  He really didn’t like the assignment since he had become friends with staff due to being a local police officer and had fond memories of being Japan.  After the attack, there were curfews and blackouts, and my grandfather had to make sure there was still a little illumination but nothing bright.  One evening as he was coving an exposed light bulb with a mimeograph carbon copy he pulled from the garbage, he noticed the backwards Japanese characters of a letter.  As he looked closer, it contained information of about the locations of ships and other munitions stationed at Pearl Harbor, which became a key piece of evidence as they started to piece together what happened.

As the years roll on and those who witnessed the Pearl Harbor attack become memories themselves, I offer these few short stories to the great Internet to file, store and recall whenever someone wonders about all the little back stories of this significant event in our history.

Wednesday, December 2, 2009

Windows Shopping

I’m really not one of those vocal Operating System lover/haters. My dad worked at IBM for 30 years and so I grew up with computers and even took a PC Jr. with a whopping 128k of RAM and a color (what we called color) monitor with me to college in the 80’s. My first work computer was a Macintosh and learned about all that AppleTalk stuff and the cool publishing Quark could do. I’ve used and administrated Win3.1, NT 4.0 (on laptops), Win95, WinME, Win2000/Server, and of course a user of XP and Vista along with a few variants of Linux. I use Windows for home and work and personally I think each OS has it’s plus’/minus’. Very non-committal, I know. Now I’m looking to buy a new computer and with that, a new Operating System.

If you’ve been avoiding the news, TV or print ads over the last year, Windows 7 is the long awaited new OS from Microsoft.  Much has been written about Vista and the delicate balance between usability and security.  People want to be protected and secure but also want to do their daily computing tasks without much interruption.  Enterprises need to secure their access points but users want to single click to everything.  There has to be a balance.  With the endless amount of threats, I want a box that has the basic protections but also want to make some security decisions myself.  I also want to make sure that the computer I choose abides by the company access policies in place, in case I need to connect to my corporate network since I probably will be doing some work from my home computer.  This has become a requirement in recent years as tele-working continues to grow.  With Windows 7, Windows Server 2008 R2 and Direct Access, folks will be able to do that with ease.  F5 recently announced solutions to optimize Win7/Server 2008 R2 deployments and our FirePass SSL VPN already supports Windows 7 clients.

Sifting through some of the recent articles about Windows 7, there is this one that indicates Windows 7 is gaining but at the expense of XP – this one that announces Windows 7 passed Mac OS X in market share – and this one that says ‘Of all new Windows 7 users, 70% said that they were "extremely satisfied" and another 24% said they were "somewhat satisfied" with the operating system.’  And it seems like they’ve answered the most recent BSOD, saying it probably was malware but will still wait to see the final outcome.  Then, of course, there’s the Windows 7 Whopper to contend with while I figure out which hardware platform I want.


Related resources:

Thursday, November 19, 2009

Virtualization is Real

I remember back-in-the-day when Virtual meant ‘almost,’ ‘simulated’ or ‘in essence’ as in, ‘I’m virtually there.’  Today, as it has made it’s way into computer terminology, it can mean actual or real things that are done over computers.  Virtualization has been the main enabler of Cloud Computing and has become an important tool for IT.  I recently attended the 2009 Cloud Computing and Virtualization Conference & Expo in Silicon Valley and wanted to share some of my observations.  The show has certainly grown from last year but still a nice small(er) conference with a lot of opportunity for good conversations.  Cloud ‘solutions’ seemed to dominate the talks even though there is still a lot of confusion about the Cloud with a good portion of participants appearing to be in the investigative/learning stage.  Many of the attendees were still just trying to understand the whole ‘cloud’ terminology and I felt like one of the most informed – which means there is still plenty of opportunity to educate folks.  Security was a big topic as you can imagine but this year it seemed like the presentations were focused on solving those fears instead of just listing them as inhibitors.
One of the sessions I enjoyed was ‘Cloud Security - It's Nothing New; It Changes Everything!’ (pdf) from Glenn Brunette, a Distinguished Engineer and Chief Security Architect at Sun Microsystems.  He first reviewed the hallmarks of information security: CIA, the Guiding Principals, Managing Risk and so forth and indicated that the Cloud doesn’t change any of that – there’s no difference in what drives security or the concepts, it’s the Implementation that is different.  So if the overall Security Services are the same, and if the traits are the same – what’s missing?  According to Glenn, the thing that Cloud Computing Security demands is: CONTEXT.

He reviewed some of the challenges facing Cloud Security:

Speed – the agility to quickly configure services.  Security is usually the last part of the architecture but how do you secure services and enforce them when units are getting spun up/down at a rapid pace. It’s an opportunity to re-think.  One thing Sun (and others) are starting to do is bake security best practices right into the image before sending it to the cloud. Why make the customer deal with securing the underlying system when the provider can build the needed security right into the image.  Pre-integration and assembly allows the customer to still deploy quickly but securely.

Scale – Today Security administrators deal with 10’s, 100’s, even 1000’s of servers but what happens when potentially tens of thousands of VM’s get spun up and they are not the same as they were an hour ago. Security assessments like Tripwire, while work, inject load and what if those servers are only up for 30 minutes?  How can you be sure what was up and offering content was secure?  One idea he offered was to have servers only live for 30 minutes then drop it and replace.  If someone did compromise the unit, they’d only have a few moments to do anything and then it’s wiped.  You can keep the logs but just replace the instance.  Or, use an Open Source equivalent every other time you load, so crooks can’t get a good feel for baseline system.

Assessability – anyone with a credit card can now deploy cloud services.  Maybe someone feels IT is too slow in deploying a particular service and decides to do it themselves.  They now have substantial resources available and not a lot of knowledge of current policies.  How can you be sure that the policies are enforced across the board on all deployments.

Transparency – Customer’s need a comfort level to know how the data is kept safe, how keys are managed, how do they constrain a problem in the cloud - essentially understanding the provider’s standards and processes.  There are more IT elements, more change events, more data and less control – that’s the fear.  The cloud makes these challenges more visible.

Consistency & Integrity – knowing the exact configuration of any machine at any time.
Key Management – this is a huge problem with providers. Doing a backup to the cloud (while keeping the keys close) is OK but if you intend to use that data then the keys also need to be stored in the cloud. Being able to do a fast recover can also require keys out there. Additional legal verbiage is what typically covers key management today.

Accountability – Service Level Agreements. SLA are not so strong on the provider end and customers often need to negotiate this area.

Compliance – auditors.

There are changing architectural strategies in the cloud. Tight Integration becomes Dynamic Assembly; Inspections become Telemetry of Objects; Repair & Recover turns to Recognize & Restart; and Log Scraping becomes Analytics. You just need to change some of the old habits. Opportunities exist for standardization but in the meantime, get to a manageable set of things that need to be done and build upon the automation. Glenn closed with his Cloud Security Rules:
  • Embrace Security Systematically
  • Design for High Survivability (fight thru)
  • Compartmentalize failure (nodes going down)
  • Minimize Trust Boundaries (how far does the data go)
Good advice.
Related Resources

    Friday, November 13, 2009

    You’ve Taken That Out of Context

    Hello and Welcome to the new hit Game Show: You’ve Taken that Out of Context!  Hilarity ensues in this action packed half-hour when contestants try to deliver the appropriate resources to end users depending on several factors and circumstances.  So let’s get right to it: Our first contestant is Danny, an IT Director from Boston and he’s getting his first request…..OK, user is coming from a home computer, without a certificate, from a broadband connection and is a partner – what are you going to give them Danny?  Wow, Excellent!  You’ve provided a simple web application, delivered through a reverse proxy so he can enter his time & materials expense report.  Great decision, Danny!  Our next contestant hails from Chicago and runs a data center for a large manufacturer, please welcome Greg.  Whoop, here comes Greg’s request…..User is a trusted employee in sales needing to enter customer info, using an IT issued laptop with specific reg-keys and updates but working from a wireless network.  How you going to handle it Greg?  Nice move!  Offering them not only their specific order entry application that’s optimized but also giving them a connection to Exchange so they can download their email to stay current.  Sweet – keeping users productive while on the road – great work.  And our last contestant comes from Texas where he’s the Network Engineer for  a distribution company – round of applause for Tom!  Alright Tom, let’s see your request.  It’s coming fast, user is a vendor who needs to see inventory levels.  They are coming from their corporate LAN on an IT issued computer and does have a certificate for certain applications.   Whatcha gonna do Tom?  A full Layer 3 network connected tunnel?  Well, let’s see.  They get connected, they are navigating to their favorite app, so far so good, and logging in, cool.  Wait, what’s this – the user has initiated a sniffer and found some financial docs.  Oh no!  He’s downloading the latest financial statements that aren’t public!  That spreadsheet has much of our sensitive data but it’s too late, they are long gone along with your data.  Sorry Tom, a little too generous with that but you do get a copy of our home game where players act out partial scenes and you have to guess the context!  Thanks for playing.

    User Centric or Contextual Aware Computing is finally starting to gain  some traction partially driven by cloud computing.  User Centric or Contextual Based networking is simply Adaptive Access using intelligence to dynamically change the security applied to a specific access request based on the context of that request, the resources being accessed and the policy applied between the two.  The goal is to provide a unified method of applying security and delivering applications regardless of the actual security in effect, the network or the device being used to request access.  It’s access security based on user, device, location and integrity both at the time of the request and the duration of access.  It provides intelligence, adaptability and auditability for every user, every time.  It is about the environment or conditions surrounding an event and  informs us about it. With that information, we may perceive something differently which might change our view and maybe our decisions.  It’s about seeing the bigger picture and making better decisions by comparing the information we have about the request along with the requirements of the application and policies in place to deliver the proper access.  Garner calls this the ‘Digital Me.’

    Gartner predicts that by 2012, there will be more than 7.3 billion networked devices worldwide and 298 million subscribers of location-based services.  This is more than just delivering secure applications, it’s also about delivering the right resources to the right user at the right time.  More than ever users are dispersed all over the globe, arriving from a multitude of devices and networks while requesting access and information from your systems.  You need to offer the proper access to that user in a quick, secure and efficient manner with the proper controls.  You need to make the right decisions based on that moment of information as we move from Identity (user/password with some customization) based to Contextual (Identity plus a whole lot more) based delivery models.  You need to ensure that no-one is coming in or taking anything out, without context.

    Related Blogs

    Friday, November 6, 2009

    IPv6 and the End of the World

    There’s always been a certain amount of conspiracy theories when security type events happen or instances where there is secrecy. There are those who don’t buy the ‘reported’ reason a security event (like a breach) occurred, those who claim to have inside information or just those who see a story and draw their own conclusions. The following is my take (Satire Alert) on Transmission Control Protocol/Internet Protocol v6 and the end of the world as we know it. That can affect our security, right?!?

    Recently there have been more than the usual number of articles about IPv6 and the need to deploy it soon since the v4 blocks are almost gone. Yes we’ve been hearing this for years (RFC2460 was defined in December 1998) but now the hype may be over as indicated in this article. There are many security enhancements in v6 nicely covered here but that’s not where I’m going.

    In my first blog post on DevCentral, aptly titled First Post, I introduced psilva’s prophecies. I’ve been in the Internet industry since ’94 and while not a ‘know it all’ I have seen my share of changes and have seen a bunch of ‘ideas’ over time come true. For instance, I had always thought that the Internet would eventually become our entertainment delivery method and some 14 years later, that’s the case. That’s not that wild as I’m sure many of you figured it was only a matter of time once we started to see streaming video and broadband to the home. In that First Post, I offered my prediction of how our nomenclature might change over the next 50-100 years. That now, we no longer give our full name/address for contacting/correspondence as we’ve done in the past – we just give email. The idea was that over time, our current first/last naming convention might dissolve to where we are known as users@domains or a single string of characters. Twitter is enforcing that with their @namingconventions.

    IPv6, at 128-bits (v4 is 32-bit), gives us the ability to assign an IP address to just about anything – heck, all the portable mobile devices we carry each need one and consumer appliances like TVs, refrigerators, thermostat, DVRs, garage door openers, coffee machines and just about any electronic item could potentially have an IP address. Schedule your toaster via a Web GUI to perfectly brown your bagel when you get home. You can already control your lights and alarm systems over the internet. In addition, each one of us, worldwide, would be able to have our own personal IP address that would follow us anywhere.  Hold on, I’m getting a call through my earring but first must authenticate with the chip in my earlobe. That same chip, after checking my print and pulse, would open the garage, unlock the doors, disable the home alarm, turn on the heat and start the microwave for a nice hot meal as soon as I enter. I could chip my child (like the dog) to be able to GPS their behind if they are not at the movies as indicated. Not so farfetched. That doesn’t sound so sinister, psilva, how can that be the beginning of the end?

    OK, now the fun begins.  While not a Nostradamus follower, although  History/Discovery Channels have covered him often, he does have something to say about numbers. You might remember he got a lot of press and was the subject of spam after 9/11 due to this quatrain which his followers say indicates that he predicted that disaster. Conspiracy? He was very much into numbers and also indicated that when we are all identified as numbers, that will be an sign of the impending doom. We do have a numbering system in the states called a Social Security Number, which is our Gov’t identity and very much linked to our own security. With IPv6, now the entire world can be identified by number and thus fulfills psilva’s prophecy #2.  The timing is right also.  2012 is getting a lot of play as the end of time.  Both the Mayans and Nostradamus feel that 2012 is the end of days and Hollywood has taken notice.  Now this does slightly negate my 1st prophecy since I’m giving our name change around 50 years but 2012 does sound about right for a full IPv6 transformation so it does fit nicely with doomsayers – if you’re into conspiracies.


    Wednesday, October 28, 2009

    Social Media – Friend or Foe

    Social Networks are now part of our society for better or worse.  It has allowed us to both connect with current friends and find pals from the past; it offers businesses another outlet for marketing and sales; it allows us to collaborate, discuss and converse on any topic imaginable.  And due to it’s popularity, it also gives thieves and other criminal types an inroad to deliver malware, steal identities, spam, stalk, and many other nasty things to expose personal and corporate information.  Since so many people are on a single platform, where trust is somewhat inherent, it’s much easier to get someone to click a link than it is to technically hack their system.  There has been so much written about this topic, and in the spirit of sharing, I thought I’d offer just a few interesting stats, stories and suggestions from the various pundits on the topic:
    Tweet Breach: 140 Characters of Sheer Destruction: This article tells the tale of a seemingly innocent tweet that turned into a nightmare.  He also defines the term - tweet•breach.
    NFL restricts Twitter use: This is just one instance of how professional sports is dealing with social media and the instantaneous updates.  We’ve already seen a few players get into some trouble over their tweeting.
    Statistics Show Social Media Is Bigger Than You Think: This is a fascinating list of statistics pertaining to Social Media including this gem - Years to Reach 50 millions Users:  Radio (38 Years), TV (13 Years), Internet (4 Years), iPod (3 Years)…Facebook added 100 million users in less than 9 months…iPhone applications hit 1 billion in 9 months.  Many of the comments are just as engaging.
    Top 8 Social Media Security Threats: A listing and description of many of the most recent Social Media focused attacks.
    Social Networks Increase Risks to Online Privacy: His own personal account of falling for a scam.
    Are social networking sites good for our society?: Very detailed article with plenty of stats and stories including the ever popular Franklin T-Chart with Pros/Cons of Social Networking.
    Identity theft is too easy and can even be automated says IT security expert: From RSA Europe, this article describes a co-worker’s challenge to steal her identity and the steps the ‘friendly-perpetrator’ took to do just that.
    Breach 2.0: some best practices for protecting company info and employee data.
    Developing Social Media Policies for Business: Another with stories, stats and considerations when developing a Social Media policy.
    And with that, I’ll let you get back to mingling on Twitter, Facebook, MySpace, YouTube, Digg, Technorati, and all the others.  Incidentally, you can follow F5 Networks tweets at http://twitter.com/f5networks (@f5networks) and mine is @psilvas. 

    Wednesday, October 21, 2009

    Will you Comply or just Check the Box?

    Some of both, apparently.  A recent Ponemon Institute PCI-DSS Compliance survey revealed that 71% of companies actually admitted that data security is not a top priority and 55% say they are only protecting credit card data and not other sensitive information like bank account info, social security numbers and drivers license data.  Additional statistics show that a miniscule 28% of smaller companies (501-1000 employees) are PCI-DSS compliant and around 70% of large companies (>75,000 employees) say they meet the Regulations.  The one that jumps out for me is the small merchant stat.  I understand that cost is a large factor for smaller companies to be PCI compliant but just imagine how many companies and industries that fall into the 501-1000 employee category.  And that doesn’t count all the even smaller ‘Family Owned’ restaurants, auto repair shops or any other service where you say, ‘I like them because they are local or family owned.’  Unfortunately, those friendly establishments might not be a BFF with your sensitive data.  I’m not saying to avoid your favorite Chinese take-out but also be aware that the numbers are against you.

    There are a couple interesting PCI developments coming over the next  year.  As I mentioned in Regulation Roundup back in February, the PCI deadline for unattended, Point-of-Sale PIN entry devices is July 10, 2010.  These are those standalone ‘Pay for your parking’ machines, gas station terminals, ticket kiosks, vending machines and any other terminal where a PIN might be entered.  First, July 1, 2009, was the deadline for Triple-DES to be mandated for all debit transaction processing.  And next July, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES.  I imagine there will be another mad dash next spring for merchants to get in compliance.
    The other PCI piece is come summer 2010, PCI will be making some regulatory changes to update PCI standards including 3rd party audits (Level II), tokens, end-to-end encryption and potentially Virtualization Security.  Some of these changes should help in protecting our data.

    And if you think skirting regulations might be a money saver, take a look at this article where the FTC has recently fined ChoicePoint for not adhering to the agreement made in 2006 for the huge 2005 data breach.  They just got whacked with another $275,000 for removing a database security monitoring tool.

    As I finish up the 18th entry of 26 Short Topics I’ve noticed Regulatory Compliance, especially PCI, comes up frequently.  Maybe it’s the constant surveys, startling numbers, never ending breaches and media reports or maybe, it’s that PCI-DSS, while not perfect, affects almost all of us and it’s like we’re in it together.  You might not know, get along with or like your neighbor but if you shop at the same store and they are breached, suddenly you’re both in the same boat - ‘Hey, that happened to me too!’  It’s one of those things that we all should care about.


    UPDATE - Added 10.22.09:  ChoicePoint would like to clarify the characterization of the FTC situation and I'm happy to include this for accuracy:

    "Your piece titled "Will you Comply or Just Check the Box" touches on recent ChoicePoint/FTC news and the company would like to request a clarification.

    1.      In regards to your report that a "fine" was levied by the FTC
    a.      While the Commission has authority to seek a civil penalty, http://ftc.gov/ogc/brfovrvw.shtm it expressly did not do so in this case, as the language of the Order and the amount of monetary relief indicate.  The Supplemental Stipulated Order itself in Part I provides for "monetary relief...to be used for equitable relief, including, but not limited to consumer redress and any attendant expenses...."  The FTC incorrectly characterized the monetary payment as a "penalty" in its initial press
    release and has since revised its press release to correct this point.  The payment was made pursuant to the courts equitable authority to address compliance with its orders.  The payment is not punitive in nature and neither the Order nor the FTC press release (as modified) characterizes the payment as a fine or a penalty.

    Thank you so much for you time and attention. We would very much appreciate your correction of the record."

    - Not a problem, thanks for the update and appreciate the clarification.  ps