Security Curve Weblog

I just loved the picture

Thanks to Ted for passing this along.

ISC(2) Under Investigation for Plagiarism

For those of you unfamiliar with my opinion on the CISSP, I'm not a huge fan. It's not that I'm against certification per se, it's just that I question the value of the cert and I think ISC^2 is the wrong body to administrate such a cert. I think, for example, that a for-profit entity has an economic incentive to push as many people through the process as possible, thereby lowering the quality of the certification over time. Additionally, I'm of the opinion that CISSP doesn't really do much for the public at large and doesn't do much for practictioners like other professional certifications (CPA, license to practice medicine, etc.); unlike other professional certifications, it doesn't prevent malpractice, it doesn't provide recourse for individuals who have been burned by poor-quality security professionals, etc. At best it's of questionable value; at worst it's a cash-cow for the licensor.

In any event, given my feelings on the topic, I was interested to read that ISC(2) is under investigation for plagerism in the "Official" CISSP guide. Apparently, an entire chapter in that book has (allegedly) been copied and pasted verbatim into the book from a paper from the American Bar Association. There are (allegedly) additional materials "borrowed" from a number of other sources as well. For those unfamiliar with the CISSP, there is a mandatory code of ethics that accompanies the certification. The following are all entries from theISC^2 code of ethics:

-Act honorably, honestly, justly, responsibly, and legally.
-To discorage behavior such as... Associating or appearing to associate with criminals or criminal behavior.
-Tell the truth; make all stakeholders aware of your actions on a timely basis.
-Avoid conflicts of interest or the appearance thereof.
-Take care not to injure the reputation of other professionals through malice or indifference.

Is it me, or in the light of those aspects of the code, that this ISC^2 plagerism is particularly noxious. It's not just the fact that they stole from others - it's the hypocrisy of making other people swear to uphold the code that they violated in an official publication of theirs... on no less than 5 counts.

Oracle's Hubris: Punishment is Coming

In case you missed it, Oracle has put the world on notice to "turn security rhetoric into action". That was the theme of Evelyn Sell's (Senior Program Manager with Oracle) presentation last week at SECURECon; basically she took the stage to tell all of us security practitioners and developers that there is no excuse for security rhetoric that isn't backed up by action. Wow. Do I even need to say it? Does "unbreakable" ring a bell? Or when Larry Ellison said "we haven't had a vulnerability in twenty years"? Clearly they aren't and clearly they have. Once again, I am flabbergasted by the hubris and hypocrisy coming out of that firm.

Now I thought I was about as irritated at Oracle's as I was going to get - but clearly I was wrong. For anybody who hasn't been paying attention, Oracle is not a the standard for software security - despite what their marketing department might tell you. I remember studying Attic Greek at one point in the distant past, and there are a few things I remember about Hubris: first, I remember that the quality of hubris (‛′Υβρις) is the principal downfall of characters in the tragedies. I also remember that it was one of the worst personality characteristics that the Greeks could imagine a person having. Almost any time that a character demonstrated the trait in tragedy, they were struck down (usually by the gods). To illustrate how much the Greeks hated this quality, the word can mean either "insolence" (akin to the sense we use it in today) or "violent crime" and was punishable by death under Athenian law. The Greeks loved to see those people on a "high horse" get their lumps.

I think the Greeks were on to something; I think the security community is starting to react to Oracle's bull. Gartner has said they are no longer a "bastion of security", researchers are working overtime to poke holes in their products, and they're spending increasing amounts of money to bolster their image. The stage is set, and I think we're there's some major divine wrath on the horizon.

Apple Malware Galore

There is a new piece of malware for OS X circulating this week - this time, it's called OSX.Inqtana.A (actually that's the SYMC designatation). The malware itself isn't that original, isn't that complicated, and probably won't spread very quickly. However, according to one of the Sophos engineers the article cites:

Apple Mac users need to be just as careful about protecting their computers with anti-virus software, firewalls and security patches as their friends and colleagues using Windows.

Oh, but we're not - which isn't good news for most OS X users. On my Mac, for example: I don't have an AV product running, I patch the machine when it reminds me (I think once a week or so), and I punched a bunch of holes in the OS X firewall to allow various services. I think I'm at least "Joe Average" when it comes to keeping my Mac secure - maybe a little bit more diligent because I am security guy. Between that carefree attitude of Mac users and the fact that Apple is consistently slower in releasing security patches than other vendors, I think the whole Mac population could be caught with its proverbial pants down in the event of a real worm. The only thing we have in our favor is the fact that the user population is low - in order to work up to a good distribution rate, 2% of the population doesn't cut it.

My mysterious disappearance and RSA aught six

Once again, the time has come for me to apologize for my mysterious disappearance. As some of you know, I was out at the 2006 RSA convention for the week working sixteen hour days. Needless to say, the quantity of my blogging suffered as a result of the work overload.

I remember, as a starry-eyed pup, going to my first RSA show back in 1998 (I think it was the year with the Viking theme) and expecting that the show would be something bigger than life. I was disappointed in the technical content then, just as I was disappointed in it this time around. While it is always interesting to see the new technologies and startups and it's always nice to see friends, the discussions were just as disappointing this year as they have been in years past. In fact, when I saw the Bruce Schneier's restaurant guide, I was at the point where I would say that the conference "jumped the shark". But then I started thinking, and I had a revelation... All this time, I've been getting something valuable from the show, but I haven't stopped to appreciate it.

As always, the discussions and panels fell short of my expectations, the vendors didn't offer much that's new, and the parties were loud and "not my scene". But judging the show in this way isn't fair: how much justice can you do to a topic in an hour? How many new and groundbreaking products are there likely to be at any trade show? What did I expect? No, in my opinion, the value of the conference is in the relationships that are made and perpetuated. For example, the Microsoft Blogger luncheon was a high-point - a number of talented, motivated, and interesting people were there sharing their experiences, trading tips and techniques, and talking about security. More personally, I was able to connect with old friends (some of which I haven't seen in years), make new friends (like the Microsoft engineer whose table we stole at Tandoori) and deepen existing friendships (like having a chance to really connect with a "to remain nameless" - and therefore "stigma-free" - fellow Fantasy and Gaming connoisseur). In other words, the technical content is not the show's strength - the people attending it are.

So was it worth it? Absolutely. But not because of the keynotes, the workshops, or the expo floor. Did it jump the shark? Maybe. But it was "worth it" where it counts - which has nothing to do with the technical content.

Oracle to World: "Security Mission Accomplished..."

Oracle has responded to the charges from Gartner and others that it is the new security whipping-boy by sending out the message that "it's totally handled". This time it's Hasan Rizvi, VP of security products who's sending the message:

Our customers are so used to high security that when there is a vulnerability they don't apply the fix because they are not used to it, which is an interesting position to be in. People have to apply them and we can't do too much about that.

So Oracle's position is that they are so secure that people are confused about the need to apply patches. So, in the unlikely event that they do need to patch, the customers don't know they need to apply it. No seriously, that's the message...

I think some of the problems are, ironically, because of our strong track record and [customers] don't take some of the processes [sic] to fix them seriously.

So, to paraphrase; "Oracle's security is the best in the industry, and our customers (recognizing our prowess) keep dropping the ball because we're so damn good." Is it just me or does anyone else find this message to be somewhat "out of touch?"

FISAP: InfoSecurity's Muzak

I came across a Computer World article this morning about "new standards" for doing security vendor assessment. I got all excited for a few minutes until I got to the part about how it's a BITS initiative, but I decided to keep an open mind and do some research on it anyway. After all, I've said all along that I think the goal of having a common vendor score-card would be good for the industry (not to mention that it's a good way to make money for those of us in the scoring business). Needless to say, I was disappointed by what I found.

Overall, I found the FISAP documents on the BITS site to be lacking in specificity (the FAQ, the program overview, etc.) The real "coup de grace" came, though, when I found out that the FISAP program is really (more or less) the BITS outsourcing workgroup with a new name; they've taken the long, vague, and toothless outsourcing documents we've all grown to love and "presto chango" made them into the core of the FISAP program. Seriously, this is from the program overview:

The Financial Institution Shared Assessments Program was conceived by the BITS IT Service Providers Working Group and leverages two groundbreaking outsourcing guides: the BITS IT Service Provider Expectations Matrix, a risk management tool for financial institutions, and the BITS Framework for Managing
Risk for IT Service Provider Relationships.

Bummer. I know a lot of people worked hard on these documents, so I really hate downplaying their achievements - but sometimes you just have to say what needs to be said. These documents are painful (I can say this without worry of hurting anybody's feelings since these documents are all written by commitee anyway.) They're skillfully worded not to prescribe anything, they state the obvious in the "eat your vegetables" kind of way, and they're incredibly long - they're like the "muzak" of security guidance.

Is that too harsh? Look, time is valuable. A 125 page document that doesn't tell me anything wastes my time. This kind of long valuless document (nicely worded though it may be) is worse than useless to me. Useless would be if it required a small investment in time to read and provided a correspondingly small value - in that case, the energy spent reading it would roughly equal the value I got from it ("net zero".) "Worse than useless" is when a large investment in time is required (like the time it takes ot read 125 pages) and provides minimal value - that's a "net negative" - meaning I would have been better off if I had not read it. If you still think it's too harsh, take a look for yourself - I don't find it valuable, but that's just me...

So how seriously do I think the industry will take FISAP? Maybe about as seriously as they take the BITS certification initiative. As per the BITS site, there are three products certified by BITS in their decade-long history (that's an average of one every 3 years 4 months). Ouch.

Moveable Type Update

Thanks to Diana for upgrading our antiquated version of MoveableType, and apologies to the folks who've had their "read/unread" status refreshed.

Apple Dunkin'

Remember how I've been saying that the security of OS X is an illusion? Well, just in case you wanted some proof, The Register has the play-by-play of a public 0\/\/ning of a (fully-patched) OS X system.

The victim, a security researcher who asked to remain anonymous, had locked down the system prior to the conference and believes that a previously unknown exploit caused the compromise... [weeks later] forensics performed on the system did not reveal any clues as to how the PowerBook had been compromised.

Awesome! So, there's a 0day that's still out there that lets hackers have full control of my Mac? Thanks, Apple - I think I'm starting to "think differently" now...

Oh, and just in case you missed it, Rebecca Freed over at PC World has an article about Mac's superior security.

Another reason that Mac users tend not to worry about exploits is that Apple tends to patch discovered vulnerabilities quickly. In 2005 Apple issued nine security updates as well as product updates incorporating security patches.

Wednesday Morning Humor

From the gentleman who brought us the BBQ Sign Generator, the Office Park Sign Generator, Atom Smasher brings us the Graffiti generator. Love it.

That ol'-time religion gets upgraded

You know that something is deeply entrenched in society's collective vocabulary when you see it in on a sign outside a church, right? That's my assertion, anyway. To prove that identity theft is here (and here to stay), the Wisconsin Evangelical Lutheran Synod waxes philisophical about identity theft.

Note that J3sus pHreakers and the Christian Hacker Association had nothing to do with it.

"But WOE unto those who do not accept the Good News, or worse, who download it but fail to register it, thus depriving hardworking evangelists of their deserved credits. And the Filesharers shall be found by the Managers of Digital Righteousness and be smoten by them – RIIA 42:13.
(From "The Traitor's Manual: Have you been saved from treason?")

Sucks to be a QDSP nowadays

I came across a reference to the sports authority stripe-data incident on Emergent Chaos today. What was really interesting to me was the alacrity with which Sports Authority sold out their PCI assessor.

Chas Withers, a spokesman for Sports Authority, said it was surprised by the discovery, because a Visa U.S.A.-approved assessor had told the company it was not storing such information.

Thanks, Chas. You're storing magnetic stripe data (in direct violation of Visa operating regulations) somewhere in a dusty nook of your infrastructure. Makes perfect sense that your assessor is at fault for not finding it for you.

You ever get the feeling that West End Games' Paranoia division is somehow responsible for PCI?

I told you so. :^P

About the only think Kama-Sutra left us with was inuendo in the press. According to News.com, Kama-Sutra "went soft" and is now "shriveled." Anyway, the Register tells us that we've "survived the apocalypse" in typical sarcastic fasion.

The new trend in outsourcing

Did you know that you can pay a dog in biscuits, thereby reducing overall customer service salary costs by more than 80%? As an added bonus, they can't understand English, so your personal information stays safe!

Expect this new outsourcing craze to sweep corporate America like wildfire in the next 6-10 months.

Lovin' from the Kama-Sutra

Blackmal, Kama-Sutra, MyWife... call it what you want. My mailbox has been on fire with email coming in about this worm for the past two days. Colleagues, friends, and relatives are all sending me information on the worm, every AV vendor I've ever requested information from is "dropping me a line" to tell me about it, HIPS vendors are sending me information about how their product defends against it, and PR firms are sending me updates about how the vendors they represent want to have a discussion about it. Here's the thing, though: I think this worm is going to play out just like a Matrix sequel - tons of pre-release hype, but not much action once it hits the streets.

Remember the DaVinci virus? The press made that out to be more than it really was; there are tons of similarities between Kama-Sutra and DiVinci - a hostile payload, a countdown to a particular date, etc. Just like the DiVinci virus, the media has latched onto this worm and is out hyping it up as the worst thing to hit the Internet since Ashley Simpson went mp3, but I honestly disagree. I'm with Russ Cooper who says, "I think it's winter and we're bored."

"Extrusion" Prevention?!?!

Every once in a while, I hear a marketing term that stops me in my tracks for one reason or another. This is one of those times. Maybe I'm out of the loop on this one, but have you heard about "extrusion prevention" yet? Seriously - extrusion.

Here's the back-story: back in 2004, Danny Lieberman came up with "extrusion" as a concept for information leaving a company in contrast to "intrusion". It's a clever way to grab a reader's attention if you're a journalist, so props to Danny. Since the original coining of the term, various product vendors like Fidelis and Datamation have picked it up and run with it to the point that now we have papers being written about "extrusion prevention" and "buyers guides for extrusion prevention."

Now, don't get me wrong - these are probably good products, and I'm sure they're useful. My only issue here is with the continued use of "extrusion" as the catch-word - maybe we ought to start considering the literal definition of a term before borrowing it for marketing purposes. Take a look at the literal definition. Not pleasant; consider:

compacting... and forcing... through an orifice

squeezing out by applying pressure

Eww. Can we, as an industry, please have a moritorium on marketing terms that are literally defined as "squeeze forcibly through an orifice?" I don't particularly like the organ reference either.

Another Must-read

Came across the link today to "Contrasts in Presentation Style" at Emergent Chaos. This is a must-read.