2010 Security Prognosticators – Put Your Money Where Your Mouth Is!!!

Just saw where Symantec has released their 2010 Security Trends to watch.  Now not to pick on Symantec (I’m guilty of the same mess in the past myself over on my old blog) but usually these sorts of prognostication lists are full of the same horse@!@#$.  For example:

8.  Mac and Mobile Malware Will Increase
In 2009, Macs and smartphones will be targeted more by malware authors. As Mac and smartphones continue to increase in popularity in 2010,

“More” is a fuzzy, useless prediction.  We have a fairly benign “DNS Changer” thing on the Mac.  And that’s about it (source: an informal and utterly unscientific poll of College Security Admins I did on Twitter).  Does “more” = something else you have to be looking at naughty pr0n and give admin rights to be taken advantage of?  Or does it mean something that will cause us all to actually *use* anti-malware on the Mac?  We don’t know.  But all the author needs is “more = another”, and they’re right.  Bleh.


So this year, let me challenge you to make a change.  If you think that there’s going to be a “trend” or “something” to watch for in 2010, let’s see you put your money where your mouth is and be specific.

By specific, I mean go ahead, play weatherman and add an 1-100& “chance” that it’ll happen.   What I’ll do here on the NewSchool blog is collect these, and then we’ll do an ad-hoc sort of “Alex + Brier Score” model on the foretelling this time next year and we’ll see who does a good job.  Yep, it’s a challenge – if you think you’re good/important/wise enough to make a prediction for next year, then you don’t mind if we hold you accountable, right?

Score Rules/ Model:

1.)  We’ll use Wikipedia’s Brier Score example as the basis for our Model:

Suppose it is required to give a probability P forecast of a binary event – such as a forecast of rain. The forecast issued says that there is a probability P that the event will occur. Let X = 1 if the event occurs and X = 0 if it doesn’t.  Then the Brier score is given by:

  • If you forecast 100% (P = 1) and there is at least 1 mm of rain in the bucket, your Brier Score is 0, or “perfect”.
  • If you forecast 100% P and there is no rain in the bucket, your Brier Score is 1, or “awful”.
  • If you forecast 70% P and there is at least 1 mm of rain in the bucket, your Brier Score is (0.70-1)^2 = 0.09, or “not too shabby”.
  • If you forecast 30% P and there is at least 1 mm of rain in the bucket, your Brier Score is (0.30-1)^2 = 0.49, or “needs work”.
  • If you hedge your forecast with a 50% P and whether or not there is at least 1 mm of rain in the bucket, your Brier Score is 0.25, or “no courage”.

Then I’ll poll NewSchool bloggers to see if the prognostication was “lame” (i.e. the sun will shine at some point in 2010).  I’ll use an ad-hoc completely stupid 1-10 scoring system where 1=lame and 10=gutsy, multiplying the Brier score by the “Alex” score to come up with the final score for the prediction.

Just to make this even more fun, in addition, we’ll also gather a “% cowardly prognostication” metric.  The losers will be given the “Brave Sir Robin” award for soiling their armor in the face of a cute little bunny.

FBI Gets all New School

“Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.”

“Keeping your head in the sand on filing a report means that the bad guys are out there hitting the next guy, and the next guy after that,” Henry said.

You mean we need to share data and learn from each other’s mistakes? Sounds good to me!

Quoting Reuters, “Cyber breaches are a closely kept secret.”

Tifatul Sembiring Causes Disasters

Padung-earthquake.jpgThe BBC reports that “Indonesia minister says immorality causes disasters:”

A government minister has blamed Indonesia’s recent string of natural disasters on people’s immorality. Communication and Information Minister Tifatul Sembiring said that there were many television programmes that destroyed morals. Therefore, the minister said, natural disasters would continue to occur.

His comments came as he addressed a prayer meeting on Friday in Padang, Sumatra, which was hit by a powerful earthquake in late September. He also hit out at rising decadence – proven, he said, by the availability of Indonesia-made pornographic DVDs in local markets – and called for tougher laws.

Now, you might think I’m just being snarky, but the opportunities that are open to a communication and information minister include communicating about earthquake or tidal wave safety, or how to cope afterwards. If Sembring is sharing his bizzaro ideas that a lack of morals causes people’s homes to collapse, then he is clearly putting his energy into the wrong message. He should be encouraging people to learn first aid, to have a small disaster kit, etc.

But to the extent that he’s delivering morality over engineering, preparedness, and response, he’s turning natural events into worse disasters.

Earthquake photo part of the Padang earthquake set by dapiiiiit

For Those Not In The US (or even if you are)

I’d like to wish US readers a happy Thanksgiving. For those outside of the US, I thought this would be a nice little post for today: A pointer to an article in the Financial Times,

Baseball’s love of statistics is taking over football

Those who indulge my passion for analysis and for sport know that I love baseball and love how the “Moneyball” approach challenged decades of dogma in the national pastime with scientific analysis.  Today’s financial times discusses how Chelsea (“The Blues” – UK football team) collaborates with the Boston Red Sox (the most superficial bandwagon team ever in baseball) on decision making and analytics.

Go Blues

Best lines:

“Mike Forde, Chelsea’s performance director, visits the US often. “The first time I went to the Red Sox,” he says of the Boston baseball team, “I sat there for eight hours, in a room with no windows, only flipcharts. I walked out of there saying, ‘Wow, that is one of the most insightful conversations on sport I have ever had.’ It was not: ‘What are you doing here? You do not know anything about our sport.’ That was totally irrelevant. It was: ‘How do you make decisions on players? What information do you use? How do we approach the same problems?’”


“Forde sees his task as “risk management”.


An advance in the "balance" between security and privacy

Today on Thanksgiving, I’m thankful that the European Parliament has adopted what may be the first useful statement about the balance between security and privacy since Franklin:

“… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective”

Thanks to Ralf Bendrath and @privacyint for pointing it out.

Links: An area of freedom, security and justice serving the citizen – Stockholm programme
Luigi Berlinguer
, and Ammendment 70: 23.11.2009 B7-0155/70 (or html)

Less Is More

Great post today over on SecureThinking about a customer who used a very limited signature set for their IDS.

Truth of the matter was that our customer knew exactly what he was doing. He only wanted to see a handful of signatures that were generic and could indicate that “something” was amiss that REALLY needed to be looked at. Not that something was a quasi attack or could be successful if only that OS was running this configuration of application X — just the nuts and bolts fundamentals of good ‘ole fashion network monitoring. His SNORT’s ran fast, faster than any other IDS of the same hardware investment, because pattern matching was reduced to a handful of rules.

I’m a huge fan of this sort of setup and something that I’ve promoted within the companies I’ve worked with. Why bother looking for something you know you aren’t vulnerable to either because you’ve patched it, configured around it or don’t have that issue at all? Furthermore, if you have signatures installed that you don’t care about, you are just creating noise that is hiding the stuff you really care about.

This does assume that you have a certain level of maturity and actually have the asset, patch and configuration management issues more or less under control. If you don’t, then this like many other problems remain intractable.

If you have a disciplined mature organization, you can largely, if not completely (depends on how complex your company is) move to only uses signatures to tell you when something out of the ordinary is going on and it doesn’t take a complex piece of software, such as Cisco Mars or Maltego to warn you. Instead, you configure just signatures for things like too many of certain classes of events coming from a certain machine:

Error 404: A client has requested something from my webserver that it does not have, or does not have at the location some client was looking for. When a high number of distinct web servers report 404 to a single client host, that host is not up to any good.

Or use of IP space you should never see on your internal network:

DARKNET: There was some IP traffic (ICMP/TCP/UDP doesn’t matter) from an RFC1918 (private) host that we didn’t allocate, or just don’t know about. This is the equivalent of the Police “running” a license plate, and the response coming back “not in system.” How many police would consider that a routine false positive and let the driver go without further questioning?

Alternately, you can look for events such as machines serving up DHCP who shouldn’t be or the sudden appearance of web servers on subnets that didn’t have them in the past.

I like to call this sort of configuration, “Signature Based Anomaly Detection.” It’s not fancy and it’s not complex, but it will tell you when something weird is going on. It may turn out to be a security issue, a misconfigured machine or someone violating change control, but regardless, it’s a great way to actually make your IDS useful and not just something you have to do because an auditor says you have to.

Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes.

This raises the question, what is fatherhood? Is it the genes or the relationship? There’s obviously elements of both, but perhaps there’s a rule in here: adding identity to a system makes the system more brittle.

Jail Time For ID Fraud

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI.

According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit.

It’s good to see more prosecutions and convictions for ID fraud. Hopefully this trend will continue.