Feedback from the community we serve lets us know what we’re doing well, what we need to work on, and which stakeholder needs are unaddressed by current security measures. It can also give us useful clues as to where processes might not be followed the way we intend — or areas where business partners feel they need to go around current processes.

Check out the full article here.

MATTAPOISETT — Neil Barry Roiter, 64, of Mattapoisett, passed away at Massachusetts General Hospital in Boston, Sunday, May 5, in the mid-afternoon. He is predeceased by his father, Gordon. He is survived by his wife of 26 years, Gwendolyn (Friss), daughter, Tess, and son, Andrew. He is also survived by his mother, Shirley, his sister Mindy, brother, Robby, and sister, Debby, mother-in-law, Faith Friss, as well as many nieces and nephews. The cousins he grew up with held a special place in his heart. Neil treasured his family, and was always there to share in holiday celebrations and lend a hand to anyone who needed him.

In general though, from a security standpoint, I think all of us in the profession can probably agree MFA is useful.  Even the folks over at PhishMe (who posted an analysis about how MFA wouldn’t have prevented the particular Twitter attack) weren’t arguing against MFA in their analysis per se — they were just pointing out that other defenses are required as well.  Meaning, other attack scenarios (such as phishing) might still apply even in the presence of MFA.  Because, of course, MFA isn’t a panacea — just like everything else in security.  So pointing out that we shouldn’t expect it to be (as many in the mainstream journalist crowd seem to suggest that it is) is useful.

Anyway, the point is that most everybody agrees on the security.  Which is why it makes it so frustrating that adoption continues to stagnate.  Look, there’s a reason that twitter (the 10th most-visited site on the Internet according to Alexa) doesn’t have two-factor despite a long and storied history of authentication abuse.  Before you say it, it’s not about laziness or lack of innovation capability… all one need do to dispute that is look at what they’ve done in relation to the OAuth standard, and you’ll see that they’re more than capable of “going there” technically.  They just choose not to.

Look, in the face of overwhelming evidence as to the value of MFA, folks (including Twitter) are slow to adopt it.  Why?  I think it’s about user convenience: the fact that adoption tends to be painful and expensive for both the end user and the implementer.  Who wants that?  

Anecdotally, we know that users don’t respond positively to the “usability” of many MFA systems.  But what’s interesting to me is that we have evidence that suggests that users hate passwords too.  For example, there’s a new Ponemon survey out about customer attitudes about online authentication (spoiler #2: they hate it).  The full report is here (registration required), but the synopsis (press release maybe?) at SecurityBistro gives the gist:

Roughly 50 percent of respondents in the Ponemon survey, “Moving Beyond Passwords: Consumer Attitudes on Online Authentication,” were either “very frequently” or “frequently” thwarted when conducting an online transaction (such as buying a product or completing a transaction) due to an authentication failure on the website.

So I ask myself the question of why MFA vendors don’t position a combination of factors that are all about convenience and sell that (or maybe they have and the market has responded with “no”).  There’s no law that says that every MFA solution has to be hard to use.  In certain scenarios, proximity cards are almost entirely transparent. Fingerprinting and identification of a device can be almost completely transparent to the end user and can provide a “what you have.”   From a “what you know” standpoint, a 4 digit PIN (though relatively non-secure on its own) may be “good enough” in certain scenarios – like when you have a robust “what you have” to back it up (experience has demonstrated this with ATM machines) — it’s also highly convenient.

OK, OK, I can hear the authentication geeks out there winge-ing even as I say this.   But my point isn’t that device identification is great and we should all use it… or that all we need is a numeric PIN.  Instead, the point is that those two vehicles – in combination – are about as close to transparent (for the end user) as you’re likely to get.  Could the two in tandem be equivalent to a password (note: not better… “equivalent”) under the right circumstances?  Maybe.  Maybe it could be slightly better.  For example, after an initial enrollment tying the device to something else that’s stronger.  Quite a few banks seem to think so as evidenced by two out of three of the banks I’ve used doing exactly that.

Meh… so this is already a fairly detailed rant for a Friday, so I’ll wind it down.  But my meta-point is that I think the way to push MFA is to make users want to use it.  Some people are doing this now: Blizzard springs to mind.   Why is the MFA at Blizzard fun and easy to use whereas the MFA at your bank (mine in particular) is painful and hair-pull worthy?  Because the folks at Blizzard have invested in “selling” it to their user base through a combination of different approaches.  They sell it not on enhanced security (well, at least just on that alone) but on a combination of usability, “carrots” for the user (e.g. in-game items), and convenience.  

The result?  Better security and happier users.  Sign me up for that. 

<Note: The views presented are my own and do not necessarily reflect those of my employer.>

 ”Breaking: Two Explosions in the White House and Barack Obama is injured.”

Security “news junkie” that I am, I actually hadn’t seen this until seeing it on Up with ”All In with Chris Hayes” last night.  The fact that he chose to cover it gives me some hope about journalism in general -in particular because he chose to cover it not from the “hackers are scary” viewpoint (where most prime-time journalism coverage goes when it’s related to cybercrime) but instead because he chose to cover another side of the story which, I feel, is more relevant.  Notably, the impact to the markets.

The short version is that the market dipped 150 points in the 7 minutes between when the fake tweet went out and when it was discovered to be bogus.  This is a pretty big deal.  Why, you ask?  Because of the fact that this particular hacker directly – and without any room for ambiguity – impacted market prices.  Directly impacted them.  They impacted the index.  Let that soak in for a minute.

This means that the attacker could have made a very significant amount of money by doing so if they had been so inclined.  How?  By shorting the market.  Readers of this blog may recall that I’ve been “waxing histrionic” over the past few years about Bitcoin liquidity issues, recent regulatory actions related to Bitcoin, the possibility for Bitcoin market manipulation, etc.?  Yeah, that’s this.

It’s a known fact that if you can get the price of something (be it commodity, currency, derivative, or security) to drop, you can make money by taking a short position.  It’s not easy to do this with Bitcoin (yet) because shorting it currently isn’t very viable (long story: no derivatives market, anonymity of the currency, liquidity problems, etc.)  With Bitcoin, the best folks can do is what Mt. Gox speculates is happening with the DDoS attacks: people attack the exchange to drop the price and then buy back once the market stabilizes (rinse and repeat).

But the Dow?  The S&P500?  Now, there’s something you can sell short.  Honestly, I don’t think short-selling was what this particular hack was about (I think Occam’s Razor is that they were just trying to get attention), but the critical point in my opinion is that they’ve proved it is possible to manipulate prices via hacked journalism.  Imagine what a hacker could do if they deliberately wanted to manipulate the price?  False labor numbers, bogus press releases, false scandals and allegations of fraud or criminality… the list goes on.

All I’m saying is that there’s an opportunity here – and I think it behooves us as an industry to look at it.  Why spend XYZ billion dollars protecting the integrity of the markets as “critical infrastructure” if there are feasible “side-channel attacks” against the Fourth Estate that could be just as disruptive?  Seems like something we ought to fix.

<Note: Views presented are my own and not necessarily those of my employer.> 

For security professionals who aren’t afraid of a bit of tinkering, old Android phones can be valuable raw materials — ways to achieve capabilities for little-to-no additional overhead cost. If the need is pressing enough or the budget strapped enough, creative use of old Android devices might very well represent a win for the security team.

If this sounds interesting to you, check out the full article here.

There was some coverage that I came across the other day that I thought was interesting about how Mozilla is considering rejecting TeliaSonera’s application for a new root certificate.  At the core of the issue is the question of whether or not they acted appropriately in their practice of knowingly issuing certificates that allow governments to snoop on traffic.

The backstory is that the Swedish television program “Uppdrag granskning” (i.e., “Mission: Investigation”), an investigative journalism program, aired an episode called “The Black Boxes” consisting of an hour long investigation of how TeliaSonera allegedly sells citizen intelligence information to dictatorships (you can watch it subtitled on their site and rebroadcasted through YouTube).

To enable the snooping, TeliaSonera (according to the report) issued certificates from the trusted root that allow governments to snoop on traffic.  Meaning, they issued “spoof” certificates.  These are certificates issued on behalf of somebody else that the government doesn’t own that were given to the government in question.  As an example, if I were able to obtain a cert that claimed I was “google.com” so that I could proxy web traffic and investigate the content of web searches going by.  Fun, right?  Of course, I couldn’t do that… but I’m not a government.  From the CNET coverage:

Allegedly, the telecom company allowed Eastern European and Central Asian governments — specifically Azerbaijan, Kazakhstan, Georgia, Uzbekistan, and Tajikistan — to eavesdrop on citizen’s private Internet use. The way TeliaSonera supposedly let this happen was by issuing certificates to the governments that let them pose as legitimate Web sites and decrypt Web traffic, according to the Register.

Why does Mozilla care about this?  Because the practice is in direct conflict with Mozilla’s CA Certificate Inclusion Policy.  This is the document that establishes the criteria for what CA’s must do to be included in the trusted certificate store for Firefox (and other Mozilla projects.)  Meaning, it’s the public document that describes what CA’s must do to make the list of what is considered “trusted”.  The point of having the list at all is so that users can evaluate and choose whether or not to trust the “out of the box” root certificates — i.e., to have an objective standard that helps users understand whether or not sites using those certs are trusted. From that document:

We consider verification of certificate signing requests to be acceptable if it meets or exceeds the following requirements… for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant’s behalf…

Now, if a dictatorship is not the registrant of a domain, the policy requires that they must be “authorized by the domain registrant to act on the registrant’s behalf.”  Were they? Since this was a clandestine activity, the answer is probably “no”.  So I’m not surprised that Mozilla is considering taking action here.  In fact, it seems to me like Mozilla’s in a bit of a bind if they don’t.  Why?  Because the program requirements speak to this explicitly.  If CA’s can knowingly violate the inclusion program all they want, why have one at all?  Just let CA’s slap in whatever: Snoop-o-rama Super Shady Terrorist-Watch-List CA?  Absolutely.  Lulz-Boat Extended Validation Trusted Root?  Don’t mind if I do.  So in the presence of direct information about a violation, it would seem to me the program would be undermined if they ignore it.

Other browser’s programs don’t have this same issue.  At least not right now.  Why not?  Because they speak to authorization indirectly rather directly (Mozilla also speaks to it indirectly too, by the way… but the pressure to act is caused by the direct reference to it in the root CA program).  The “indirect” route I’m referring to is via the certification audit.  Meaning, the Microsoft program (and also Mozilla’s program by the way) require annual validation according to a known standard — for example, WebTrust for Certification Authorities, ETSI TS 101 456 or ISO 21188:2006.  Apple’s Root CA Program  requires WebTrust explicitly.  Each of these programs speak to authorization, but do so as part of the validation process.  Take the WebTrust requirements as an example — in that case, the audit criteria compares the CA practices against the CA Browser Forum’s SSL Baseline Requirements.   Reproduced below is section 11.1.1 of that document (entitled “Verification Practices – Authorization – Authorization by Domain Name Registrant”):

For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant either is the Domain Name Registrant or has control over the FQDN by:

1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar;
2. Communicating directly with the Domain Name Registrant using an address, email, or telephone number provided by the Domain Name Registrar;
3. Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field;
4. Communicating with the Domain’s administrator using an email address created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;
5. Relying upon a Domain Authorization Document;
6. Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN; or
7. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the FQDN to at least the same level of assurance as those methods previously described. …

If the CA relies upon a Domain Authorization Document to confirm the Applicant’s control over a FQDN, then the Domain Authorization Document MUST substantiate that the communication came from either the Domain Name Registrant (including any private, anonymous, or proxy registration service) or the Domain Name Registrar listed in the WHOIS. The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the certificate request date or (ii) used by the CA to verify a previously issued certificate and that the Domain Name’s WHOIS record has not been modified since the previous certificate’s issuance

Meaning, if a CA doesn’t adhere to this, they should fail the audit.  TeliaSonera passed the audit.  Granted, this is probably something the audit program should be looking at… but the fact of the matter is that since the Apple and Microsoft programs hinge only on the audit, TeliaSonera technically isn’t in violation yet.  They might be if they fail future audits, but they aren’t now.  So what will Mozilla do?  I guess we’ll see.  But it’s pretty interesting stuff.

Image source: funnypart.com

<Note: the views presented are my own and not necessarily those of my employer.>

An interesting article today about the demographics of firms buying security companies.  I came to it by way of Hack in the Box, which referenced analysis of it in CRN, but the actual original piece is from Delling. I recommend the original piece because it’s less expurgated than the republications.

It’s an interesting read and confirms what many analysts have pointed to for a long time about the purchasing dynamics within the security sector.  Notably, that big security firms don’t really innovate so much (because they don’t have to) so instead wind up buying the smaller, more-innovative, and more agile firms.

There’s a few really useful graphs that might be interesting to folks.  The first one shows who’s buying whom and the second one shows volume of purchases over time.  Again, there aren’t too many surprises here, but it is interesting to see this wrapped in some actual numbers.

Image source: scary-pictures.feedio.net

<The views presented are my own and do not necessarily reflect those of my employer.>

[Note: edited on 4/18 to fix ridiculous basic math error]

Today, I came across two different surveys about insider threats.  What was interesting to me is that the data was similar, but the conclusions reached were almost polar opposites.  I’ll highlight them to you in the order that I discovered them.

The first one comes ultimately from a survey conducted by LogRhythm, but I came across it by way of coverage in CSO. Check out the coverage in that venue [underlining mine]:

Although insider threats to data security remain a serious problem, the word apparently hasn’t made it up the corporate food chain in the UK. Survey results released recently by the UK office of network security provider LogRhythm, headquartered in Boulder, Colo., found that nearly half (44 percent) the 1,000 employers polled said they trusted their employees not to access confidential documents or steal data from them.

Since 44% did trust employees, the implication has to be that 56% did not so trust — in other words (paraphrasing) that they viewed employees as risky.  The conclusion drawn from this in the associated analysis is that this number is too low: that organizations are overly complacent about employee behavior because they have this “high” level of trust.  Now hold that thought for a moment.

The second piece comes from a survey from AlgoSec (warning:PDF) although I came across it by way of HelpNet.  From the latter [underlining mine]:

The greatest risk is from within – Two-thirds of respondents (64.5 percent) rated insiders as the greatest security risk. Roughly the same proportion of respondents (66 percent) expressed concern that allowing employees to “bring your own device” increased the risk of security breaches.

Paraphrasing, ~65% viewed insiders as risky (in fact, the greatest risk).  The conclusion in the associated analysis is that, “Insider threats are the greatest concern…”  and that organizations are (and should be) on the verge of near panic about it.

The difference between these two data points is ~11%… and the questions asked were similar.  That’s actually pretty interesting and increases the overall confidence in the accuracy of the data point. But the conclusion?  Conclusion A is that “employers are in denial”; conclusion B is that it’s the “greatest concern.”  It can’t be both – at least not without some qualification of the exact dynamic so that we can understand why it’s possible for it to be both.   

Look, my point isn’t to “do down” any of this work.  In point of fact, any reliable data (no matter the source) is good data in my opinion and both of these reports are interesting, informative, and useful barometers of something going on in industry.  But in terms of the purpose that we put that data to, I do think it’s healthy to be critical in how we view it.  Why?  Because how we digest, interpret, and reconcile the data with preconceived views can mean the difference between “true” and “false” – or between what might otherwise seem like polar opposites.     

Image source: warmnotes.com

<The views presented are my own and do not necessarily reflect those of my employer.>

Today, it’s the rare business that doesn’t have some regulation on its radar, whether it’s because the business processes credit cards, handles personal client information, is publicly traded, handles medical information, operates on behalf of a national or regional government, or any other number of considerations.

In fact, not only do most organizations have to comply with some regulatory mandate or another, most of them need to comply with multiple regulations. InformationWeek’s 2012 Regulatory Compliance Survey found that 71% of the organizations surveyed had more than one compliance requirement that they must adhere to.

If that’s interesting to you, you’ll find the full report here (forewarning: it’s a PDF) and a synopsis of it here.

<Any views expressed are mine and are not necessarily those of my employer>

Interesting data (via Popular Science) on the science of anti-drug PSA’s - or “Public Service Announcements” (remember the thing about the egg and the frying pan?)

Anyway, as it turns out, most of the time PSA’s don’t really do that much.  In fact, unless the advertisement is specially-crafted, it could even encourage kids to do drugs – especially when they hadn’t considered it before:

Carson Wagner, now an assistant professor of journalism at Ohio University, wrote his 1998 Penn State master’s thesis in media studies on the counter-intuitive effects of anti-drug ads. He demonstrated that for some kids, seeing anti-drug ads made them curious about what doing drugs would be like, even if they had never had that curiosity before.

What’s interesting to me about this is the fact that an anti-drug PSA is similar in many ways to awareness activities that people might conduct as part of a security program.  Like, when we put up a poster saying, “don’t share your password”, “lock your screen when not in use”, or “trust the computer… the computer is your friend”, does this really work?  Does it do anything to actually change employee behavior?  Empirically, the answer is no.  But yet we do it anyway – in fact, certain regulators require that we do so.

I’m wondering if the research about how to build a better PSA might help us build better security awareness programs?  Take a look at what does make a good PSA:

In the U.S., the “Above the Influence” campaign has tried to embrace the advice of Wagner and other researchers: to find out what kids who don’t use drugs do, and advertise those activities. “What they’re doing is showing more alternative activities,” he says. “They’re not bringing up the notion of drugs.”  Research shows the new campaign at least somewhat effective. A 2011 study on “Above the Influence” found that only 8 percent of teenagers who were familiar with the campaign started smoking pot, versus 12 percent of teenagers who hadn’t seen it.

Meaning, instead of focusing on the action that we don’t want, the focus is instead on the action that we do want instead.  It’s an interesting concept and I’m not sure how you’d directly incorporate that into an awareness program — but these folks found a way to “move the needle” (hey, 4% is better than nothing) when nobody else could.  So maybe there’s something for us to learn here?

Image source: tshirtcasserole.poweredbytshirts.com

<The above views are mine and do not necessarily reflect those of my employer.>