Archive for the ‘The Law: Fear It’ Category

Cool reading over at wired. Turns out that the “DarkMarket” was an FBI sting. Wonder if that’ll throw of people who’ve been using this source to get information about the price of stolen data.

In case you haven’t heard, a bunch of folks in our industry are pretty fired up. They’ve gotten it in their head that the worst thing that could possibly happen to the noble institution that is CISSP is for college students to get certified. The contention is that CISSP is supposed to just be for security practitioners, and college students can’t have the type of real-world experience required in order to legitimately obtain the cert. ISC^2 retorts that they are not giving away *real* CISSP’s – but instead a sort of “CISSP-lite” that would be in place until the students got the experience required to move to the full-blown CISSP once they’ve cut their teeth.

All the brouhaha leads me to once again question the current certification process. Clearly there are issues, and all you have to do to see them is consider the “value” of the CISSP to the practitioner vs. the “value” of the CISSP to ISC^2. There’s a fundamental disconnect between what motivates people to get CISSP’s and what motivates ISC^2 to give it out. Look, the practitioner derives value from holding a CISSP due to its “exclusivity”; in other words, the fewer people that have the certitification, the more valuable it is to the credential holder – that’s why this issue with the college students is causing such a ruckus – it decreases the exclusivity of the cert. On the other hand, ISC^2 (as a for-profit entity) derives “value” from the CISSP due to popularity. That is, the more popular the cert is, the more people that they can get certified; the more people get certified, the more money they make – that’s why the college students thing seems like such a good idea to ISC^2. These two sets of goals, while balanced for the short-term, are at odds over the long-term.

Of course, the true malcontent would say that the value of the CISSP is neither about popularity nor exclusitivity, but is instead about utility. In which case, CISSP is already being eclipsed by yet another security certification – the most majestic of certs – the PI license. Umm… Yeah. See, since information security is (as a whole) an unlicensed discipline, practioners without CISSPs are just as free to practice as those with – CISSP may (or may not) increase your salary, but it doesn’t do bupkiss for your ability to do the work. However, a PI license is starting to be mandatory for some areas of infosec. Laughable though it may seem, some states such as Georgia are requireing infosec practitioners to have a PI license in order to provide expert testimony in a court of law. More specifically, when the case involves “acquiring evidence” (e.g. forensics and incident response), only the evidence of a licensed PI is acceptable. So Remington Steele, Magnum PI, or any other cheesy eighties dick has a better chance of getting a slot as an expert witness in a Georgia courtroom than a trained CISSP, CISM, CPA, CPR, CLAP, or any other combination of letters – unless that CISSP is really a CISSPPI (CISSP with a PI.)

So the question to ask if you want to get certified probably isn’t “how much experience do you have in security” but “do you look better in a tux or a hawaiian shirt?”

As a security guy, I’ve always viewed law enforcement as “brothers and sisters in arms” – I’ve always felt a close comraderie with the folks whose job it is to go out there and bring the bad people to justice. After all, isn’t that pretty much what we’re trying to do as security people? But recently it seems like law enforcement is making it tougher and tougher for us infosec folks to do our job.

Don’t believe me? Check out the recent prosecution of Eric McCarty for pointing out a web application security flaw exposing personally identifiable information on the University of Southern California. Here’s a guy who found a flaw in a public web app, brought it to the attention of the folks over there, and got arrested for his efforts. Apparently, PII was avialable through the webapp, McCarty noted this, anonymously divulged the information through a third party (with the intention of having that get back to the University), and because he looked at that data he was arrested. Now, it seems to me that if the University of Southern California makes subscriber data available through their own incompetence, the folks who happen to come around and look at it shouldn’t get arrested for doing so.

Ahem… So, Panda put out a press release last week that (unfortunately for me) intersted me enough to entice me to download and read a marketing whitepaper about TruPrevent. Now, I have nothing against Panda but lest anybody accuse me of endorsing the paper (trust me I don’t), let me assure you that the only reason that I’m bringing it up is that it drew my attention to a new acronymn that was used extensively within the paper. The acronymn was “PIPS” or “Personal Intrusion Prevention System”. Umm…. Yeah.

So for a while now we’ve had NIPS (Network Intrusion Prevention System) and HIPS (Host-based Intrusion Prevention System); now apparently, somebody thinks that we need a completely new acronymn. Now, rather than staying with the anatomy motif and choosing something like LIPS (that would have been my pick), they’ve elected to use “PIPS”. I’m not entirely clear on what makes it “personal” – allthough both Panda and Gartner seem to imply that the fact that it’s integrated makes it personal… Maybe that’s it, although it seems to me that saying “PIPS” is more confusing than saying “suite”.

Anyway, given the tendency for people to slap an -IPS suffix on random letters, I wanted to use this humble forum to go on record as reserving the “CHiPs” acronymn for future use. Yep, that’s right – “Consolidated Holistic Intrusion Prevention System”. CHiPs is the natural evolution of the market, and provides a robust framework for prevention of nefarious activity. You heard it here first. Here are the features that differentiatie a true CHiPs:

- The use of two agents working in tandem
- Uses lightweight, maneuverable “mobile” agents
- Ability to locate and investiate mobile threats
- Designed “to protect and to serve” both consumer and enterprise PC’s
- Half the footprint of traditional mobile agents

This is coming, and man is it going to be awesome when it gets here.

Taking a quick break from infosec and into the broader realm of law-enforcement, I pose the following hypothetical question:

What do you suppose would happen if I was involved in a hit and run, then I was videotaped almost running down a crowd of pedestrians, and then I told a crowd of police officers that I was drunk behind the wheel? I think it’s a safe bet that I’d spend the night downtown in the “windowless hotel”, don’t you?

Apparently, not so if you’re Paris Hilton. To illustrate the point that we’re all equal under the law – but that some of us are more equal than others – the LAPD let Paris and her friends stumble away unchallenged from a videotaped hit-and-run, obvious reckless driving, and a probable DUI. Don’t believe it? See it on video. It’s being rebroadcast by CNN to give it that air of legitimacy.

Everybody loves David Hasselhoff. And why not? His singing ability notwithstanding (which I’ve never heard so I can’t comment on), most of us have seen and/or enjoyed Knight Rider, Baywatch, and (more recently) the SpongeBob SquarePants Movie.

Interestingly, there’s a new trend among the hacker crowd: surreptitious injection of David Hasselhoff-laced content into otherwise “normal” messages such as websites, informational mailings, etc.

Personally, I love this. So also do folks over at “The Age” in Australia – they’ve reported several Hoff sightings or “hoffings” as it’s been called and they’ve even gone so far as to ask him about it. Surprisingly, he was pretty good natured about it and actually viewed it as a compliment; go David.

Scarily enough, the supreme court ruled that, despite the name (‘order’), restraining orders are more or less just guidelines that the police can choose to follow (or not) as they deem fit. In other words, if person A gets a restraining order against person B and the cops elect not to enforce it, there is no recourse for person A. In the particular case that decided this, a woman’s ex-husband (who she had a restraining order against) abducted her children, and the police (whom she called repeatedly) took no action for 10 hours until the ex-husband killed them all. The ex-wife informed the police where he was no less than four times, and showed up at the police station trying to get the police to take action (which they did not.) The findings of the supreme court were that (to paraphrase) “the wheels of the law grind slow; they will not be rushed, they will not be threatened, and they have no accountability.” Sounds OK unless you’re the one being stalked/threatened/abused.

Thanks to Alan for passing this one my way.

Cameras at traffic lights came up for a vote in NH this week. And I quote:

“So when a bill came up in early April to consider allowing robotic traffic cameras at the busiest crossroads, mocking laughter from the gallery preceded the measure’s demise.”

Mocking laughter… Have I said how much I love it here recently?

Apparently, a gentleman was getting into his Mercedes and was assaulted by thieves. In order to bypass his biometric theft deterrent system, they took his finger with them. I think I’d rather not have the biometric system than lose a finger because of it…

“The Federal Trade Commission (FTC) has settled a case with clothing and accessory vendor Guess Inc., in which the agency had accused the company of not taking appropriate measures to secure its Guess.com Web site.”

Not the first time the FTC has gone after a company for exposing customer data, they also slapped the hands of MSFT for Passport issues and Eli Lilly for shipping out an email with the email addresses of almost 700 Prozac users, but this is notable because Guess is a clothes merchant. So anyone collecting personal data on a web site needs to address their security and privacy architectures to avoid similar cases against themselves in future. Goes without saying that they should be doing this anyway, but if fear of FTC notice gets folks to take the issue more seriously, that’s as Martha would say, “a good thing.”