Out of respect for Kurt’s well-reasoned disagreement, I won’t try to do a TLDR synopsis here (go read it if you want the full background) other than to focus in on one point that he alludes to.  I’m still trying to get to the root of how (or if) this thing (Malcon) is different from Blackhat – and why one would be OK in our community and the other not (since there are quite a few folks who feel that way).  So what Kurt said that was a starting point for me on my musings this morning was this one:

…blackhat/defcon are about more than just the race to zero or the blue pill. the blackhat/defcon conference pair focus on a wide variety of security issues, many of which not only deserve to be highlighted but also contribute to the betterment of the security condition… by way of contrast (since ed’s argument compares blackhat/defcon to malcon simply by substituting one for the other in his logical framework above), malcon focuses explicitly and exclusively on the advancement of malware creation which is (in general) incapable of providing the same contribution to the security condition.

Like I said, this is just one of Kurt’s points and not intended to represent everything he said – or even most of it.  But it got me thinking more about why people have a problem with Malcon but not with other conferences. In other words, why someone would object to a conference like this one but not to something like Blackhat, HOPE, or toorcon.

Kurt alludes to about Blackhat forwarding the security condition and Malcon detracting from it so one is good and the other not.  I don’t know…  We have no way to measure the security benefit of Blackhat.  We posit that it moves security forward, but does it really?  Put aside the fact that we have no evidence about Blackhat, say for the sake of argument that it does make security better. Does Malcon detract from it?  Again, it hasn’t happened yet, so anything we say is speculation.  I personally doubt it, but maybe.  The point is – we can’t know which conferences forward security and which don’t.  Doesn’t it depend on circumstance?  Is a malware author passing out drunk at RSA better for forwarding the security industry? Is a junior AV researcher learning how to analyze malware at Malcon setting it back?  Not sure I buy it that it’s either all one way or all the other.

And we know the objection can’t be based on content.  Put aside the fact the fact that (again) the conferences hasn’t happened yet (so we could find out that it’s really a Mass Effect fan con in disguise for all we know – like “Rickrolling” but for malware.)

The only real “meat” about what’s going on there comes from the cursory overview of the sessions, which are vague.   The sessions as stated are:

• Reverse Engineering Walkthrough
• Introduction to WIN32 Programming
  
• Introduction to Reverse Engineering
• Malware “Concept” Introduction
• Coding a Malware
• Malware Analysis

So, with the exception of the penultimate module (“Coding a Malware”), this looks like it could be any day’s agenda from the development track at an RSA conference. For the coding a malware part, I’d bet that percentage-wise it’s probably about the same time spent on that as the Sonoma State University class where they author malware.

So to accept that Malcon detracts from the security community, based solely on the content you would have to also accept that Sonoma State does.

Maybe you do. Maybe you believe that Sonoma State is evil. Even taking that off the table, there’s still a spectrum here. On the one side, you have security conferences that have nothing to do with malware (like Cardtech or RSA).  On the other you have conferences that provide varying degree of information that could be of use to a malware author (Defcon, toorcon, pumpcon,summercon, etc.).  If it’s based on content, that means there’s a magic percentage of where it goes from “OK” to “evil”.  And we know it’s less than 16% (the percentage of Malcon dealing with malware authorship).

But I don’t think any of that is true.  What I think is really more likely is that the objection is not about the content, or the impact to the industry, or anything else.  I think it’s about the fact that it’s called “Malcon” and (to a lesser extent) the fact that people think it’s somehow forwarding the malware writing community.  I posit that if you took any conference (say our hypothetical Mass Effect fan con cited earlier) and named it something like “Malware Writers’ Conference for Global Evil” and marketed it with a picture of a virus giving a raspberry… Well, you’d get static from somebody (really guys?  the virus picture?)

As far as intent goes, I also think people think this is a conference somehow intending to forward the malware author community.  Who would want that?  Their actual intent isn’t really that, by the way.  Their stated goal is, “…to help the Security Industry… so that they can build better and secure code, as well as work towards mitigating potential new attack vectors.”

SCADA (supervisory control and data acquisition) systems run critical infrastructure and manufacturing processes. SCADA is what the local power company uses to manage usage on the grid and ensure customers have energy during times of high use. It’s also what manufacturing plants use to manage the shop floor to make sure production can continue without interruption. If you’re like most network and application security professionals, you’ve never worked with a SCADA system. SCADA knowledge is specialized and often not covered in traditional security training and certifications like the CISSP. Only one major certification, the Critical Infrastructure Institute PCIP (professional in critical infrastructure protection), really covers SCADA training.
Jonathan Pollet, founder of Red Tiger Security, a consulting and testing company that specializes in SCADA and critical infrastructure, notes: “SCADA Engineers and System Integrators know how to design, commission, and maintain real-time control systems, but typically do not have the right skill sets and training to embed security into those systems. They typically do not understand how to properly harden the servers, operator workstations, and network infrastructure, and in most cases, these systems are commissioned with default passwords and administrator accounts with no passwords.”

To read the rest of the article, please click here.

Many thanks to Carol Baroudi, Founder of Baroudi Group, Inc. for kind permission to reprint this document.

Software and technology vendors, especially those in the United States, have gotten into the habit of overselling the capabilities of their products in an effort to close deals. While this is an annoying practice for non-security related products, it can be downright dangerous when it’s applied to the products that enterprises rely on to protect their assets. The issue is so serious that the government has stepped in. On August 8, 2002 the FTC ruled that Microsoft had misstated the security of their Passport product.
Timothy Muris, FTC Chairman said, “Privacy and security promises must be kept. It’s good business. It’s the law, and we’ll take action against companies that do not keep their promises.” Security vendors that overstate the ability of their solutions can lead to enterprises installing inferior systems that don’t work as advertised. And the use of inferior products can translate into security vulnerabilities and costly exploits and attacks. How bad can it get?…

To continue reading please click here.

So when I came across this article this morning citing how “email is still the top source of data loss“, I was curious.  It struck me as odd, because it doesn’t jive with what we’ve seen from other data outlets.  

Specifically, if you look at the public breach disclosure data, you see quite clearly that email isn’t anywhere even close to the top of the list – it’s not even close to the middle.  I repeated the calculation that these folks did back in 2007 on the most current data available – and email currently represents just over 1.5% of data breaches.

Which begs the question… if email is so underrepresented in actual breach disclosure data, why is it 35% on the ProofPoint leakage chart?  Hmm…  Now, it could be tempting to throw up our hands and say, “hey… it’s vendor data. Par for the course.”  But I’m not ready to go there.  Instead, I think there’s something going on.

I think that the ProofPoint survey (I’m assuming it’s a survey based on how the data is structure, but they never actually say how they derived the data) points out that the instrument that they are using to measure over-reports email as being vulnerable.  And in this case, that “instrument” is our own perception.

As you might be able to tell from the title of their article (“Malware Convention — Not a Good Idea”), that PC World…  well, they don’t think it’s a good idea.

They quote Grimes who says the following:

No good can come from the conference…  There have been similar projects before: virus coding books (plenty of them), dozens of malware ezines, etc., and none add to the good side of the equation…”

Pretty strong words.  I’d be on board with that as I stated the other day, but something about the logic of all this doesn’t sit right with me.  And the more I pick at it, the more it bothers me. Expressed as a syllogism:

• Major premise:  All conferences that provide details on how to create malware are a “bad idea”
• Minor premise:  Malcon is a conference that provides details on how to create malware
• Conclusion: Malcon is a “bad idea”

And then:

• Major premise:  All conferences that provide details on how to create malware are a “bad idea”
• Minor premise:  Blackhat/Defcon provide details on how to build malware (e.g. the Invisible Things Blue Pill presented at Defcon 2006; stated goal, “creating 100% undetectable malware”)
• Conclusion:  Blackhat/Defcon is a “bad idea”.

But it clearly isn’t – at least most of us don’t think so.  As PC World points in their first paragraph, Blackhat/Defcon is a “reputable venue” in the security community.  And I keep getting boxed in by the logic.  Either the major premise is false and Blackhat is reputable (i.e., not a “bad idea”), or the major premise is true and Blackhat is not reputable  (a “bad idea”)… in exactly the same way as Malcon is.

Now, I know this is not going to be a popular position…  But I’m not willing to give up the ghost on Blackhat.  I like Blackhat.  I’ve been going to Defcon for over a decade.  So I don’t think that it’s a bad idea.  I think historical precedent has given those conferences respectability… which it probably wouldn’t have if it started today.

So by virtue of the fact that my brain can’t handle the cognitive dissonance associated with defying the logic, I’m going to put the stake in the ground that MalCon is OK.  Or, at least, not “bad” based solely on the single criteria that they’re discussing details about how to create malware.  Maybe somebody else is willing to throw some hate Blackhat’s direction and say it’s not a good idea either… but saying one is OK and one isn’t?  I’d advocate that if you’re going to come out against one, you should stop attending the other.

For more, take a look at this coverage:

From eWeek:

CA Technologies has agreed to acquire Arcot Systems for its authentication and anti-fraud technology. The acquisition comes with a price tag of $200 million. Founded in 1997, Arcot develops software-based digital signature and identity tools to help secure online transactions. Delivered via the cloud or on-premise, the company’s products protect about one million online credit card transactions a day, according to Arcot. CA’s plan is to blend Arcot’s capabilities with CA’s identity and access management (IAM) solutions, specifically the CA SiteMinder portfolio.

Full article at eWeek.

From eSecurity Planet:

Business software developer CA this week acquired Arcot Systems, a privately held provider of cloud-based fraud-prevention and authentication software applications, as it looks to pad out its identity and access management (IAM) portfolio. The $200 million, all-cash purchase is expected to close by the end of September and will be “slightly” accretive to CA’s (NASDAQ: CA) net income by the end of its fiscal year in March. Sunnyvale, Calif.-based Arcot provides both cloud-based and on-premises identity management and fraud prevention applications that track more than 1 million credit-card transactions a day. CA officials said that the addition of Arcot’s technology to CA’s SiteMinder portfolio of security apps will enable customers to reduce the risk of fraud and identity theft for their online transactions and meet regulatory requirements in a faster, cheaper and more effective fashion.

Full article at eSecurityPlanet.

The TLDR version is that users are seeing wacky wild charges – into the thousands of dollars – leaving their accounts via PayPal and going to a suspicious-looking application developer.  First, apple went out there saying that it’s totally not them and that they couldn’t fix it even if it was.

PayPal has a similar message as of this morning as well; from their CISO:

We’ve looked into this extensively, and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account.

It’s apparently nobody’s fault.  He goes on to tell us to eat our vegetables:

Issues like this are a good reminder to be extra vigilant with any personal and financial information when you’re online. It’s also important to know that if a criminal gains unauthorised access to your PayPal account, PayPal will cover you for the full amount of unauthorised transactions. But I believe that an ounce of prevention is worth a pound of cure.

Um… OK.  Thank you for the PSA, PayPal.  Great advice from folks as well known for their robust security and lack of fraud.

So back to the issue at hand – what’s the solution to the fraud issue?  Oh, you still don’t know?  Apple?  PayPal? Either of you have a clue? Maybe it’s a good idea to figure that out before we all line up press conferences about whose fault it is.

In July, Visa Inc. got out ahead of the Payment Card Industry (PCI) Security Standards Council and issued its own best practices for tokenization and PAN truncation. While quite a lot of attention has been paid to the tokenization side of the recently issued guidance, the truncation side has received less attention. We thought it would be useful to address the other side of this vital PCI Data Security Standard compliance issue.

For the rest of the article, please click here.

Source: iwastetoomuchtimeatwork.blogspot.com

I started off by reading this post over at CSO magazine about “3 areas where FUD needs to stop“.  Anyway – I hate the FUD as much as the next guy, so it caught my eye.

Anyway, reading through the article, James “Jimmy” Blake (CSO for Mimecast) lays out the top three FUD-quakes that need to get the boot.

As I read through, I confess to being somewhat critical of the three areas that they call out as being specifically FUD-friendly: Apple, Facebook, and the cloud.  Not that I disagree with any of those, mind you.  But where was cyberterrorism?  What about critical infrastructure?  SCADA?  Voting machines?  Death by malware?

C’mon Jimmy!  There’s plenty more places where FUD needs to stop.  Anyway, I was going to get all cranky about this but then I went over to the Jimmy Blake blog and came across this where he tells it like it is.   And now I’m all good.  So, thanks, Jimmy – I’m in your camp now.

Now there’s a brilliant idea.  Of course, I’m not sure if it occured to anyone over there, but the ability to make free calls, from over the Internet in IP-accessible fashion has a huge security impact.  Not only that, but it’s a huge win for robocallers.  How do I know this?  Because we’re experiencing the pain of the denial of service from robocalling quite vividly.

Apparently, there’s a carpet-cleaning service (who wisely doesn’t list their name as part of their pitch) who keeps calling… and calling… and calling…

Check out the call record:

Aug 26, 2010    12:18 PM         14089999999
Aug 26, 2010    12:18 PM         14089999999
Aug 26, 2010    12:18 PM         14089999999
Aug 26, 2010    12:18 PM         14089999999
Aug 26, 2010    12:18 PM         14089999999
Aug 26, 2010    11:03 AM         14089999999
Aug 26, 2010    11:03 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:01 AM         14089999999
Aug 26, 2010    11:00 AM         14089999999
Aug 26, 2010    11:00 AM         14089999999
Aug 26, 2010    11:00 AM         14089999999
Aug 26, 2010    11:00 AM         14089999999
Aug 26, 2010    11:00 AM         14089999999
Aug 26, 2010    10:43 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:43 AM         14089999999
Aug 26, 2010    10:41 AM         14089999999
Aug 26, 2010    10:41 AM         14089999999
Aug 26, 2010    10:41 AM         14089999999
Aug 26, 2010    10:40 AM         14089999999
Aug 26, 2010    10:40 AM         14089999999
Aug 26, 2010    10:40 AM         14089999999
Aug 26, 2010    10:39 AM         14089999999
Aug 26, 2010    10:39 AM         14089999999
Aug 26, 2010    10:39 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:38 AM         14089999999
Aug 26, 2010    10:37 AM         14089999999
Aug 26, 2010    10:37 AM         14089999999
Aug 26, 2010    10:37 AM         14089999999
Aug 26, 2010    10:37 AM         14089999999
Aug 26, 2010    10:37 AM         14089999999
Aug 26, 2010    10:37 AM         14089999999
Aug 26, 2010    10:37 AM         14089999999
Aug 25, 2010    06:36 PM         14089999999
Aug 25, 2010    06:30 PM         14089999999
Aug 25, 2010    06:28 PM         14089999999
Aug 25, 2010    06:25 PM         14089999999
Aug 25, 2010    12:11 PM         14029820899
Aug 25, 2010    12:09 PM         14029820899
Aug 25, 2010    12:06 PM         14029820899
Aug 25, 2010    12:06 PM         14029820899
Aug 25, 2010    12:06 PM         14029820899
Aug 25, 2010    12:05 PM         14029820899
Aug 25, 2010    12:05 PM         14029820899
Aug 25, 2010    09:02 AM         14029820899
Aug 25, 2010    09:03 AM         14029820899
Aug 24, 2010    04:08 PM         14029820899
Aug 24, 2010    04:05 PM         14029820899
Aug 24, 2010    03:52 PM         14029820899
Aug 24, 2010    03:51 PM         14029820899
Aug 24, 2010    03:37 PM         14029820899
Aug 24, 2010    03:37 PM         14029820899
Aug 24, 2010    03:21 PM         15334333222
Aug 24, 2010    03:20 PM         15334333222
Aug 24, 2010    03:03 PM         14089999999
Aug 24, 2010    03:02 PM         14089999999

Oh yeah… please to enjoy.  Good thing we like our ring tone.

We started off the “ZOMG! GET IT TO STOP” process by calling Vonage (our VOIP provider of choice) and complaining about it.  There’s literally nothing they can do. Their recommended ”option” – change the number – which they’ll do for free.  Of course, given how we use this particular number, changing it to something else really isn’t viable.

Vonage doesn’t allow us to block the source number – but that wouldn’t really matter anyway because the originating number comes up as multiple different source numbers in random-appearing fashion – as you can see in part from the list above.  We reported it to our state DoJ and put ourselves on the “do not call” list – but one wonders how effective either of those courses of action might be (if today is any indication, not effective at all.)

Under the law, these folks of are required to provide an “opt out” function, which we’ve attempted.  However, they have yet to honor our request.  So… thanks to any provider that makes calls to land-lines free but doesn’t allow the destination of those calls to block them. Though it might be “whack-a-mole” to block specific numbers – without even that ability we’re getting DoS’ed.

In the past, services like Vonage, Skype, or MagicJack offering free call service also have the potential to forward robocalling.  But the barrier to this kind of abuse in that context allows the operator of the service to rapidly shut down the abuse by any particular party.  But in this context, the barrier to fraud is further reduced.  And it’s no fun. Even though we do love the final movement of Beethoven’s 9th Symphony.