November 2010 Archives

Step 1: Start with a top-notch planning team.
Step 2: Find an outstanding venue.
Step 3: Find enthusiastic and generous sponsors.
Step 4: Develop a strong slate of speakers.
Step 5: Deliver on its awesomeness.

In the case of #BSidesOttawa, this is now "mission accomplished" thanks to the outstanding efforts of Justin Foster, Peter Hillier, and Andrew Hay (plus a few others whose names I'm remiss in forgetting). As a co-conspirator in #BSidesAustin, I greatly appreciate the amount of effort that goes into planning for a conference. The guys in Ottawa definitely knocked this one out of the park! It's looking favorable that this will trigger a handful of BSides events through the country, which I personally think is outstanding.

This post is a wee bit delayed thanks in large part to workload and the American Thanksgiving holiday. That being said, I think it's high time to cover some of my personal highlights from the inaugural #BSidesOttawa event...

The latest burst of complaints over TSA are well-documented (see my coverage here). There's definitely a lot of merit to many of the arguments, not the least being that the focus on perimeter screening suggests a blind naivety that the TSA thinks that a) all threats come through checkpoints, and b) that they're somehow able to stop all threats (known or unknown). Unfortunately, while our civil liberties continue to be forfeited on a whim for the secure feeling of a police state, the terrorists continue to win.

There's been a veritable metric ton of coverage this past week over the TSA and their ham-fisted approach to security. This week's controversy is around the combination of back-scatter X-Ray scans and the introduction of "enhanced" pat-down techniques that, in some states, literally amounts to definitive sexual battery. There are an increasing number of anecdotes from people about abuses of the system, and a whole lot of attention placed on privacy issues. I'll provide some thoughts on those aspects, but before I did so, I want to hit what I think is the #1 reason why I think the TSA is wholly deficient in the area of airport security.

First, a word on terrorism: By abandoning the principles upon which this country is founded, and which make the US unique and special, the terrorists have won. Every time the bureaucratic geniuses here in DC make another idiotic and irrefutably clueless decisions like this latest round of lunacy, the objectives of the terrorists are achieved in ways the terrorists could have never accomplished on their own. It is our patriotic duty to refuse to be terrorized (http://www.schneier.com/essay-124.html)!

Hey folks! If you're planning on attending RSA 2011 next February, then here are a couple things you should look at.

1) Mini-Metricon 5.5 (Mon Feb. 14, 2011)

Do you have an interest in security metrics? Have you been doing security research that includes generating lots of statistically valid data? Need a place to share that work? Or, maybe you just want to give a lightning talk about a metrics/measurement-related topic? If so, the CFP deadline has been extended to Friday, November 12, 2010. Please submit your ideas! Full details here:
http://www.securitymetrics.org/content/Wiki.jsp

2) ABA InfoSec Committee Annual Meeting (Sat/Sun Feb. 12-13, 2011)

Do you have an interest in the intersection between infosec and the law? Please join us for this free, 2-day annual meeting of the American Bar Association Information Security Committee. You do not need to be a lawyer to attend or participate (I'm not!). We're looking forward to some excellent discussions, panels, and presentations around key topic areas including cloud computing, healthcare data protection, current public policy initiatives affecting infosec, security integration in hardware (supply chain issues, robotics, DMCA anti-circumvention), and legal defensibility.

If you'd like to participate (panel, preso, or just want more info on attending), please post a comment, drop me an email, or hit me up on Twitter.

I've been mulling over writing a "cyber war" piece for several months - ever since Bejtlich started a series of posts last July on the topic, coupled with my reading of Richard Clarke's book, Cyber War. However, I've held off, mainly because I've been somewhat on the fence with the whole topic. On the one hand, yes, nation-states are conducting operations online, though they primarily fall under the heading of "espionage" and are not "attacks" per se. On the other hand, we have some suspicious situations (e.g., Georgia, Estonia, Google's "Operation Aurora," Stuxnet, Israel's bombing of the Syrian nuclear facility) that seem to clearly lean in the direction of being "cyber warfare" (or, offensive) operations.

Part of the problem I face in thinking about this topic is trying to separate the FUD-driven rhetoric from the realities of the current threat landscape. Those generals and politicians (one in the same?) behind the creation of the US Cyber Command provide a good example of hype and noise intended to generate false concern in order to further a clearly political agenda: formation and funding of Cyber Command. Ironically, all of this FUD highlights what is a clear problem: that the US Military is largely focused on offensive operations, neglecting the home front where we're most vulnerable (see my prior post "Missing the "Defense" In DoD?").

"Careful. We don't want to learn from this." -Bill Watterson

Unless you've been living under a rock the past few months, you've undoubtedly heard something about the Stuxnet worm. It's actually quite remarkable how much "information" is available with so little publicly known. As per usual, there's not much balance between inflammatory FUD and the pragmatic realities of the situation. The sad truth is that control systems like the one targeted are now often Internet-accessible, but have not been adequately secured in the least. While Stuxnet certainly leveraged 0-day vulnerabilities, it also relied on less-than-0-day attacks and took full advantage of really lousy security practices that allowed things like outside USB drives to be connected to control systems. Oops.