Sunday, February 25, 2007

Virtual Trade Show Appearance (is that the right word?)

A couple of days ago I participated in a Ziff Davis Virtual Tradeshow on Security Management. This was a "live" event for one day but the sessions are archived for several months for people to browse. If you want to listen to the presentations (including mine) you need to go to this page and register. The registration process asks quite a few questions, but that's the price you pay for free education, so to speak. The keynote was by Peter Neumann who [IMHO] is always worth a listen.

If you check out my session on security awareness programs you will find it is taken at a pretty fast pace owing to time constraints of the format. So, I plan to podcast a less strenuous and hopefully more informative version as soon as my head cold clears up (if I record it white dow ewe wood nut udder stand be).

Friday, February 23, 2007

SaaS Challenge Mounts: Is Google the next Microsoft, security-wise?

Two eWeek headlines appeared this week, as if on queue, one right after the other: Google Patches Security Vulnerability in Desktop Search and Google Apps Premier Edition Takes Aim at the Enterprise.

What do you bet that the sparks really flew at Google HQ over that timing? First, a quick reminder that we, Google, have to patch security holes, just like Microsoft. Followed by, tada! Premium enterprise apps, just like Microsoft. From my perspective this was great timing, IF it helped potential enterprise clients stop and think twice before embracing software as service web apps.

Don't get me wrong, I have been using and enjoying Google's free document and spreadsheet apps in beta. They offer a lot of convenience (not to mention great functionality for the price). But you won't find me using them for sensitive business data any time soon. There is no way I am going to be the first to find out that Google, in its enthusiasm for offering neat tools to the world, missed some of the security implications and exposed "my stuff."

From an enterprise perspective I would be blocking employees from using the free version on company machines and connections. And, no offensive to Google, but I would not adopt the paid version without a very intense security review. (How intense? I don't think there are more than two dozen people on the planet with the kind of smarts it takes to do that sort of review to an appropriate enterprise level of assurance.)

What Did I Tell You? Google looking like a nexus of insecurity

I've been saying this for several months now. I highlighted it in my keynote at the Enterprise Security Asia conference. Google could be the next big thing in security, as in "insecurity." The recently announced hole, now patched, that permitted cross-site scripting attacks via Google Desktop, is only one aspect of "the Google factor." The concern is that Google has many of the characteristics of a "nexus of insecurity." Here are some of those characteristics:
  • New and exciting
  • Popular and widely used
  • Cross-platform
  • Network-based
  • Rapidly growing
  • Easy to install
  • Becoming a standard
  • Processing sensitive data
A good example from the past is Microsoft Word. There was a time when this application was not a major source of security problems. Then came the first Word macro, in 1995, and everyone suddenly realized that the Word doc format was a de facto, cross-platform standard , one in which companies stored highly sensitive information (often the best nuggets of corporate data are distilled into memos and letters and reports written in Word). It also became clear that Word documents were traveling from network to network and across corporate boundaries thanks to email. Then it became clear that Excel spreadsheets were also an issue, then PowerPoint, and so on.

Now, let me make it clear that I have no knowledge of Google's security strategy or how it schools its programmers in secure coding, or how it tests its code before putting it into production. Google may be doing a great job in all these areas. I would love to find out that they are. All I am saying is that, historically, software possessing the characteristics listed above has tended to become a source of security problems.

Tuesday, February 20, 2007

The Last Great Security Crisis? Sadly Not

You can't read all the security pundits all the time, but I usually take time to read Larry Seltzer at eWeek. So I am not knocking Larry when I take issue with his recent column titled the Last Great Security Crisis. Indeed, it is well worth reading and sheds light in an area that needs it: application security.

Larry is not talking about web apps or Software as a Service but Microsoft Office apps, arguably the biggest single gateway to networked computers and sensitive data on the planet. Whuh? That's a pretty sweeping claim. But think about it. Just about every organization's really important data is currently condensed into Word documents, Excel spreadsheets, and Powerpoint slides.

Want to know what is going on in a company? Forget mining complex databases, look for the highlights, which are more often than not found in some kind of doc/xls/ppt file, starting with executive summaries of everything from new product development to sales projections to cashflow analysis. Combine that with the seemingly endless stream of holes and you have the ingredients for a permanent security headache (as opposed to the plain human headache you get from trying to picture a stream of holes).

How many organizations eventually get to experience that headache will depend on a number of factors, from the diversification of applications and formats (Mac, pdf, open document, xml, etc.), to the actions of the world's bad actors. The latter may focus more on desktop application vulnerabilities if Vista does deliver an improvement in overall enterprise security. It's that old displacement of risk black magic. As long as bad actors are plentiful and well-motivated (actually it seems like that should be badly-motivated, but you know what I mean) the overall threat level will not go down, it will just keep seeking the low-hanging fruit and the easy wins, which will be losses for legitimate users.

Saturday, February 17, 2007

The Next Big Enterprise Threat? It's time to think SaaS = Software as a Service

I recently asked my good friend and security guru David Brussin for his thoughts on emerging threats to enterprise security. In response he posted a very interesting entry on his blog about SaaS. I highly recommend this to CIOs and CSOs as well as CISSPs.

And for readers who are none of the above, and thus in danger of drowning in initials and acronyms, let me make it clear that:

SaaS = Software as a Service
SARS = Secure Acute Respiratory Syndrome (a non-IT enterprise threat)
SpIT = Spam over Internet Telephony (VOiP)
SpIM = Spam over Instant Messenger
CISSP = Certified Information System Security Professional

Hopefully this will help folks disambiguate a few of these threatening things.

Thursday, February 15, 2007

Free Mike Cobb Security Webcasts and Podcasts Now Available!

That's right, my brother Mike, the younger one (and some would say, the smarter one) is a fellow author and CISSP. And he has pulled together his recent security webcasts on one handy page. Just click and learn. Here's what is available right now:

Messaging Security: Preventing Data Loss and Malware Infection through Electronic Communications --In this webcast, discover the many procedures, tools and policies available to Windows security administrators to secure an enterprise's electronic communications. Find out more about this webcast by Mike Cobb.

Messaging Security: Understanding the Threat of eMail and IM Attacks -- This 15-minute podcast helps assess the evolving threats to enterprise communications. Mike investigates the severity of phishing and IM virus threats, and spends time assessing the effectiveness and requirements of unified messaging security products. Find out more about this podcast by Mike Cobb.

How Simple Steps Ensure Database Security --This Podcast examines some of the most common database attacks, including SQL injection, cross-site scripting and weak/default passwords. Learn how you can protect your database from these threats and listen to this Podcast now. Find out more about this podcast by Mike Cobb.'s Web Security School --Learn how to harden a Web server and apply countermeasures to prevent hackers from breaking into a network. Study at your own pace and learn how to implement security policies and test a Web site's security, as well as how to handle a breach should the unspeakable happen. Michael Cobb will also arm you with tactics for creating a human firewall to combat problems such as phishing and spyware. This course consists of an entrance exam, three lessons -- each consisting of a webcast, technical paper and quiz -- and a final exam. You'll also find handy checklists that you can download and use on the job. All of these resources are available on-demand so you can learn at your convenience. Find out more about this webcast by Mike Cobb.

Five common application-level attacks and the countermeasures to beat them --This on-demand webcast reviews five of the most common attacks against applications: active content, cross-site scripting, denial of service and SYN attacks, SQL injection attacks and malicious bots. For each, Michael Cobb explains how they work, the damage they're capable of doing and how pervasive they are. He also arms you with:
  • Specific countermeasures for each of these attacks
  • The security policies and security defense technologies worth considering for safeguarding applications against each attack
  • How to improve incident response in the event of an attack
  • A quick overview of other, less common (but potentially damaging) application attacks that you need to be aware of
All of these resources are available on-demand so you can learn at your convenience. Find out more about this webcast by Mike Cobb.

Wednesday, February 14, 2007

Good Intentions, Wrong Conclusions: Bill Gates' security vision at RSA is cloudy at best

Said Gates: “Security is the fundamental challenge that will determine whether we can successfully create a new generation of connected experiences that enable people to have anywhere access to communications, content and information.” DailyTech

Well, that sounds good, but what does it really mean? Will lack of security prevent a new generation of connected experiences being created? No. We have seen several generations of insecure connected experiences created. Their lack of security has not doomed them. Yes, security issues have meant slower and more shallow adoption than might otherwise have been achieved. And security problems have in general made the experience less enjoyable than it should have been (not to mention a royal pain in the pocket book in specific cases where the lack of security was exploited by particularly bad or careless actors). But success is relative and often based on expectations.

Mr. Gates would certainly be unwise to make higher levels of security the only measure of success. But I think that Mr. Gates is quite capable of being unwise. After all, this is the man who said spam would be a thing of the past--by this time last year. Sadly, the place where the Gates vision falls short is in its expectations of people. I say sadly because I think Mr. Gates is basically a very decent chap, one who has consistently under-estimated the decency deficit out here in the real world, while over-estimating technology's ability to make up for it.

Consider what else he said: “The answer for the industry lies in our ability to design systems and processes that give people and organizations a high degree of confidence that the technology they use will protect their identity, their privacy and their information.”

No Mr. gates, that is not where the answer lies. The answer lies in the overall standard of human behavior. Until that improves, connected experiences that enable people to have anywhere access to communications, content and information will suffer at the hands of bad people. Folk may not suffer to the extent that they give up on those experiences. But they won't be able to enjoy them as much as they should and a large chunk of resources will likely be consumed trying to maintain a barely tolerable level of enjoyment. Technology is not the answer to bad behavior.

Saturday, February 10, 2007

4th Annual Enterprise Security Asia Conference

4th Annual Enterprise Security Asia Conference

A big thanks to the folks at AC-Nergy who put on an excellent conference in Kuala Lumpur last week: Dyanna, Jin Yin, Christopher, and Andrea. Also to chairpersons Michael Mudd of CompTIA and Stan Singh of PIKOM.

The two sets of slides that I presented can be found at the newly re-launched Cobb Associates site. And a quick reminder to (ISC)2 attendees: this event is approved by (ISC)2 for CPE credits.

Wednesday, February 07, 2007

Meet the new OS, same as the old OS: AV, Vista, and Microsoft MS-DOS 6

News that Microsoft's own anti-virus [AV] product does not do a good job of protecting the new Microsoft Vista operating system will come as no surprise to the infosec "old guard" who remember Microsoft's first foray into anti-virus back with MS-DOS 6.0 in 1993. A detailed deconstruction of this product's shortcomings was written by one of the early AV pioneers, Y. Radai at the Hebrew University of Jerusalem. He graciously allowed me to reprint it in my PC and LAN security book and a copy is archived here in an Adobe PDF.

Unless you are a real AV history buff you may not want to read the whole thing (and if you are a real AV history buff you've read it already). But everyone should take note of the final sentences where Radai summarized the effects of Microsoft's decision to make its own AV and bundle it with the OS:
True, many people who have never before installed AV software will now do so, and this seems to be a benefit. However, they will be under the false impression that they are well-protected.
Enough said? After all, few things are more worrying to an information security professional than someone having a false sense of security. One of them is a lot of people having a false sense of security.

And who are these folks who just gave Microsoft Live OneCare a failing grade? Virus Bulletin, which has a sterling reputation for objective AV testing. If VB says a product does not do a good job, you can rest assured it does not (of course, depending on the product you are using, the assured rest may not come easily).

Sunday, February 04, 2007

More VA Data At Risk? Reminds me of last summer

Looks like another black eye for the Department of Veterans Affairs. A hard drive containing thousands of unencrypted records apparently went missing. Here is what I wrote last summer for a local magazine, after the BIG data leak at the VA:

During a hotter than average summer you might think the only exposure problems we face in Saint Augustine are those caused by the UV index. And it would be nice to think the only chills we've been getting come from ice cream or the ice in our drinks. Unfortunately, some folks in town have been receiving chilling news about their personal exposure. It goes something like this: "Information identifiable with you was potentially exposed to others."

In fact, if you were one of the more than 26 million American veterans whose data was on an external hard drive stolen from the home of a Veterans Affairs employee in May, you will have read those words already, in letter from the VA. What sort of data are we talking about? According to the letters that started going out in the first week of June: names, Social Security numbers, and dates of birth, as well as some disability ratings. That is enough information to get an identity thief started, running up bills in your name.

Sadly, some local veterans who bank with VyStar were hit with a double dose of chilling news about their personal exposure. They also received letters from the Jacksonville-based credit union informing them that hackers had acquired their names, addresses, Social Security numbers, birthdates, mothers' maiden names, and email addresses. The exact number of people affected was not revealed by VyStar, which would only say it was less than ten percent of its 344,000 membership. However, that type of data would give an identity thief a running start, in several directions. For example, the email addresses could be used for very targeted and effective "phishing" attacks in which falsified email is used to trick recipients into revealing such valuable data as account numbers and passwords.

I know that at least one of the affected Vystar members was a local resident, because I had breakfast with him recently, at Jasmine's on San Marco. Over a latté and breakfast burrito he lamented that he had received letters from both VyStar and the VA. Perhaps a little too glibly I said that if he got a third letter we would write an article about him. That afternoon I noticed a new security breach exposing Floridians. Approximately 133,000 Florida driver and pilot records were on a Department of Transportation laptop stolen from a government vehicle in July.

So how should you react if this happens to you? Are you at risk if your data is exposed? What can you do to protect yourself? To answer these questions, begin by examining any information you have about the exposure. For example, here's what Vystar said about that incident: "Vystar has no indication that the stolen data has been used or will be used for identity theft or fraud."

Fortunately, you don't need to be a computer security expert to see through that one. Your first clue that this is not a very reassuring statement is how the data was exposed. According to Vystar's own report, hackers stole it. These days, that is not good. In the good old days of mainframes and early personal computers the term "hacker" did not necessarily mean someone who broke the law, more like someone who broke into the technology just to see how it worked. Hacker today can mean someone who steals bank records, either for their own nefarious purposes, or for resale to someone even more nefarious. There is a thriving black market in identity data. Organized crime is a big player in that market.

Even if your data was on a computer stolen at random, which may be the case with the stolen VA laptop and hard drive, you need to be wary of assurances that "there is no indication the data has been used for identity theft." Any computer security professional would want to add the word "yet" to that statement. After all, how can you tell if the data has been used? The beauty of all things digital is that they can be copied over and over without any indication that they have been copied. A data thief seldom erases the data, just lifts a copy so you are none the wiser.

Another assurance that bears closer inspection is this one, as seen in the VA letter: "Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents." Well, contrary to the VA's claims in the letter, the VA employee had been taking home the same sort of data for years, with permission. This implies that someone could indeed have targeted the data; but even if they didn't, your average thief today probably knows a thing or two about computers. Imagine getting that computer home and finding all that data. Knowing that it could be worth dollars per record might tempt a common burglar to branch out into data trafficking.

At this point you might be wondering what happened to all the marvelous computer security technology you see in movies: passwords, fingerprints, encryption. These are not science fiction. They exist and they are relatively effective, cheap, and easy to use. The reality is that they are not used nearly as much as they should be. One way you can tell is to read between the lines of an "exposure" announcement. The VA made no mention of passwords; the Department of Transportation did. You can bet the DOT data was password protected, the VA data was not.

So what can you do when your data is exposed by one of these incidents? The first step is to take advantage of any resources provided by the "breachee," the entity whose security was breached, thus leading to the exposure. For example, VyStar has provided a lot of information about Internet security on its web site. In addition, it has said it will provide identity theft protection to all those affected by the breach. This is a smart move because it helps to limit the company's exposure to damage claims. Several years ago I provided testimony in a class action suit brought by another group of military personnel whose data was exposed as a result of the TriWest security breach in Arizona. The victims were seeking to force TriWest to pay for identity theft protection. As far as I know the case is still unresolved, but the security lapse has already cost TriWest several million dollars.

The primary defensive action you can take, regardless of what the breachee does, is place a temporary fraud alert on your credit bureau account. This should alert you to anyone trying to open new accounts in your name. To place an alert contact one of the three main agencies: Equifax ( or 800-525-6285); Experian ( or 888-397-3742); TransUnion ( or 800-680-7289). The alert is free, good for 90 days, and may get you a free credit report. In fact, getting a credit report on yourself is a good all-round defensive measure, even if your data has not, to your knowledge, been exposed. If it has been more than 12 months since you saw your credit report, check it out, via the contacts above, to make sure it contains no surprises.

None of this implies that the party whose inadequate security made the exposure possible is off the hook. The VA is currently under pressure to improve security and do more for the victims. You can learn more at Sadly, if you visit the site created to keep vets informed about the May incident, you are greeted by news of an August incident. That's right, another computer went missing, this time exposing the insurance records of tens of thousands of vets.

Is there any good news? Well, I can say that the VA/VyStar victim I know has not received a third letter, yet. I'd like to say I see light at the end of the tunnel but, based on my 25 years of work against computer fraud and abuse, I don't. So be prepared to act in defense of your identity, keep abreast of new incidents, and cast a critical eye over any letters you receive. I'm afraid more of us will be over-exposed before things get better.

Friday, February 02, 2007

What's Up With Dataflation?

A few years ago I coined the term 'dataflation' in an effort to focus attention on the possible negative effects of widespread exposure of personally identifiable information (PII, like name, address, Social Security number, mother's maiden name, pet's name, credit card number, and so on). My thinking had been pointed in this direction by the large number of security breaches in the first half of 2005 and the massive amount of PII that they exposed (66 million records).

Plenty of people were focused on the immediate effects of this phenomenon and the media paid attention. We saw articles on What to do if it happens to you. How to protect your identity online. What companies should do to prevent such breaches. A lot of good advice was dispensed and recent figures show it might be having a positive effect. (Remember: "The best weapon with which to defend information is information.")

However, there was no immediate sign of improvement during 2005 and I continued to focus on the cumulative rather than individual effects. What would these exposures mean to the current and future value of information? How would this impact trust within society? What would be the effect on commerce, particularly e-commerce? And what effect does trust have on growth? (There are indications that more trust = stronger GDP growth, starting perhaps with the 1997 paper by Knack and Keefer, click here for a list of articles).

To me it seemed like there had to be some sort of inflationary effect on personal data, hence data-flation. Perhaps, I wondered, the more bits of personal data pertaining to you that are known by everyone, the less value each piece of that personal data would have, notably when it comes to authenticating you, to a system, a merchant, a bank, a government agency, and so on.

My article for TechTarget on the subject of dataflation was published in October, 2005. Then I witnessed the massive exposures in early 2006 which included the 28.6 million veterans (including a friend of mine who was also 'exposed' at the same time by his credit union). So I continued to think about dataflation. When I was invited to speak at Interop Moscow I chose it as the topic of my presentation.

Then a strange thing happened. In the Q&A session after my presentation, one member of the audience told me that you could find just about any data about anyone in Russia on the streets of Moscow, sold on CD. Unfortunately, I didn't have enough time or Russian to go and buy any of these CDs, but several people confirmed that large numbers of records were sold to these street-level data vendors by employees of various government agencies. We did not have enough time for a protracted discussion, and there was something of a language barrier, but I think I sensed an implied statement: "Our data is hopelessly exposed and our society/government/economy is not crumbling."

Now, I am not an expert on the Russian economy, but I think one could argue it is not doing as well as it might. One might further suggest that a lack of trust is one reason, although proving this statement is probably an entire masters or even doctoral thesis. Furthermore, I am open to pondering that implication. Maybe dataflation won't happen and everything will work out. It's just that, when you look at a compilation of the ever-increasing numbers, such as this amazing table at Privacy Rights Clearing House, it is hard to believe we are on the right track.