February 2010 Archives

I had an interesting conversation on the plane last week with a retired choir director/professor who had recently experienced fraudulent charges on his bank account. As I had disclosed my profession, he wanted to know how this could have happened and I struggled to answer the question in a way the he - a non-techie - could easily understand.

The conversation made me wonder once again: what should/can we reasonably expect the average person to understand? Do we really need to reduce to the lowest common denominator, or do we at some point draw a line, with the caveat that a certain percent of the population will never "get it"? If so, what percent is reasonable and appropriate?

The 2010 RSA Conference (USA) is nearly upon us, kicking off next week Monday (3/1) at the Moscone Center in San Francisco, CA. I will be making the annual trek out there, with a similarly rigorous schedule once again (ABA mtgs Sat-Sun, MiniMetricon Mon, BSidesSF Tu-We, RSA Mo-Fr).

One major change this year (this week!) is that I'll be hopping on the LAW-401 panel at the last minute, substituting for a friend of mine. The panel is 9am Friday morning (I know, yikes!), but just in case you might be interested, here are the details:

LAW-401 Digital Forensics vs. Security & Encryption
Session Abstract: From self-encrypting drives to auto-wiping media, advances in data security present unique challenges to accurate and effective forensic evidentiary collection. Failure to anticipate the ramifications of encrypted or secured data can result in a complete breakdown of the digital forensic process. The panel will discuss current devices, legal challenges and capture solutions currently used in the field.

This is very cool. I've been saying informally for several years that I viewed micro-generation as the wave of the future. I figured that businesses would be the first to adopt technologies that go into buildings to make them essentially self-sufficient for power generation. Well, that ideal is now much closer to reality. Meet the Bloom Box:

I'm starting to think that we as a people have devolved to the point of losing most of our basic survival skills. If you spend any time driving the crowded roads of a major metropolitan area, or passing through airports and their associated screening processes, or even just pay attention to the news and some of the incredibly idiotic things that people are doing these days (Baptist "missionaries" trying to steal kids from Haiti, Pennsylvania schools surreptitiously spying on students via issued laptops, or even the current state of mindless politicians being directed by their corporate masters), then you probably understand what I'm talking about here.

This thread absolutely applies to infosec and the business community. It seems decreasingly likely that businesses are doing what is absolutely necessary to protect themselves and, more importantly, to ensure that the business continues. And I'm not talking about business continuity here in the BCP/DR sense (though that's certainly a part of the big picture). I'm thinking, quite simply, about fundamental attitudes and behaviors that reflect a general lack of awareness about viable threats to the business and continued success.

Get it while it's hot! Skimming through it, unless you're new to the industry or have been hiding under a rock, none of this will be new. Nonetheless, it is a well-written document that can be used as a solid reference with both techies and management. It's definitely a nice stake in the ground - now you just need to figure out how to peg against it.

2010 CWE/SANS Top 25 Most Dangerous Programming Errors
http://cwe.mitre.org/top25/index.html

In case you haven't noticed, my blogging has trailed off the last few weeks, roughly corresponding with starting a new contract. There could be any number of reasons why this has happened, but it's nothing you couldn't probably guess at. New gig, longer days, lots of work, too few hours, not enough resources, yada yada yada. You know, it's called security. ;)

Perhaps the most frustrating part for me has been trying to find time and energy to write. I keep having quick ideas, but when I finally sit down to write about them, well, things just fizzle and fall flat. Not being one to publish something that I think is complete garbage, I've simply not. I even tried to write a couple article submissions last week, but those were not particularly good. If they end up running one, fine, though I will not be sad by any means if they don't.

Just a quick note and redirect here... if you've not seen Ross Anderson's post "Chip and PIN Is Broken" yet, then I highly recommend zipping right over to his site to read through it. Basically, the underlying schema is broken because of the way the "solution" has been aggregated from various standards. This finding underscores the need for coherent and well-coordinated standards when it comes to things like handling sensitive data.
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/"

Update (2/18/10): The Smart Card Alliance has provided a response questioning the viability of this attack in the "real world." It certainly seems somewhat unlikely, though the truth is probably somewhere in the middle. Maybe they should just fix the schema.
http://www.digitalidnews.com/2010/02/15/emv-hack-may-be-overstated"

Due to pending inclement weather, I've bailed on my plans to attend ShmooCon this weekend. As such, my barcode is now available. Please ping me asap if you're interested!!

Thank you to The ISSA Journal editorial board and staff for this distinction!

Hey there conference attendees - it's time to find your groove and hop on the bandwagon for Security BSides. We have two events coming up VERY SOON - now's the time to act! Security BSides events are free to attendees, relying exclusively on the generosity of volunteers and sponsors.

Speaking of sponsors, we still need some, especially for BSides Austin! Wondering about the value proposition? Check out the Security BSides page on Sponsoring. Please let me know if you have questions or interest in helping out!