Shostack + Friends Blog Archive


Diagrams in Threat Modeling

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]


Journal of Terrorism and Cyber Insurance

At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:” Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this is not the case with terrorism risk. Even if insurance professionals learn about terrorism in […]


Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current. Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned […]


The Evolution of Secure Things

One of the most interesting security books I’ve read in a while barely mentions computers or security. The book is Petroski’s The Evolution of Useful Things. As the subtitle explains, the book discusses “How Everyday Artifacts – From Forks and Pins to Paper Clips and Zippers – Came to be as They are.” The chapter […]


Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that: “Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica) Now, I’m sure being in the […]


Survey for How to Measure Anything In Cybersecurity Risk

This is a survey from Doug Hubbard, author of How To Measure Anything and he is currently writing another book with Richard Seiersen (GM of Cyber Security at GE Healthcare) titled How to Measure Anything in Cybersecurity Risk. As part of the research for this book, they are asking for your assistance as an information […]


What Good is Threat Intelligence Going to do Against That?

As you may be aware, I’m a fan of using Star Wars for security lessons, such as threat modeling or Saltzer and Schroeder. So I was pretty excited to see Wade Baker post “Luke in the Sky with Diamonds,” talking about threat intelligence, and he gets bonus points for crossover title. And I think it’s […]


What Happened At OPM?

I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances […]


P0wned! Don't make the same mistake I did

I fell victim to an interesting attack, which I am recounting here so that others may avoid it. In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did […]


A Mini-Review of "The Practice of Network Security Monitoring"

Recently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM […]


A flame about flame

CNET ran a truly ridiculous article last week titled “Flame can sabotage computers by deleting files, says Symantec”. And if that’s not goofy enough, the post opens with The virus can not only steal data but disrupt computers by removing critical files, says a Symantec researcher. ZOMG! A virus that deletes files! Now that is […]


Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]


Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of […]


Emergent Map: Streets of the US

This is really cool. All Streets is a map of the United States made of nothing but roads. A surprisingly accurate map of the country emerges from the chaos of our roads: All Streets consists of 240 million individual road segments. No other features — no outlines, cities, or types of terrain — are marked, […]


Is iTunes 10.3.1 a security update?

Dear Apple, In the software update, you tell us that we should see for the security content of this update: However, on visiting, and searching for “10.3”, the phrase doesn’t appear. Does that imply that there’s no security content? Does it mean there is security content but you’re not telling us about it? […]


Elevation of Privilege (Web Edition) Question

Someone wrote to me to ask: A few cards are not straightforward to apply to a webapp situation (some seem assume a proprietary client) – do you recommend discarding them or perhaps you thought of a way to rephrase them somehow? For example: “An attacker can make a client unavailable or unusable but the problem […]


AT&T, Voice Encryption and Trust

Yesterday, AT&T announced an Encrypted Mobile Voice. As CNet summarizes: AT&T is using One Vault Voice to provide users with an application to control their security. The app integrates into a device’s address book and “standard operation” to give users the option to encrypt any call. AT&T said that when encryption is used, the call […]


Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]


Quantum Crypto is Quantum Backdoored, But It's Not a Problem

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]


Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]


Cyberdeterrence Papers

This just came past my inbox: The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. […]


Logging practices

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, […]


SearchSecurity Top Stories of 2009 Podcast

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.


We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]


Security is About Outcomes, FISMA edition

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write: the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ […]


Rebuilding the internet?

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became […]


Moore's Law is a Factor in This

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I […]


What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks: You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will? I think it’s a fascinating question, and posted my answer over […]


Dear $LOCALBANK That I Use

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification. No […]


Kindle Brouhaha Isn't About DRM

In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell. The root cause of the issue is that the version of the Orwell novels available on the Kindle […]


Kindling a Consumer Revolt

Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]


Do Audit Failures Mean That Audit Fails In General?

Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception. In his most recent post, How many rotten apples will spoil the barrel, he asks: So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are […]


Bob Blakely on the Cybersecurity Conversation

Bob Blakely has a thought-provoking blog post which starts: The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling: Question […]


Va Pbaterff Nffrzoyrq, Whyl 4 1776

My usual celebration of Independence day is to post, in its entirety, the Declaration of Independence. It’s very much worth reading, but this year, there’s a little twist, from a delightful story starring Lawren Smithline and Robert Patterson, with a cameo by Thomas Jefferson. Patterson sent Jefferson a letter which read, in part: “I shall […]


Torture is a Best Practice

I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way. The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the […]


Mr Laurie – Don’t do that

Ben Laurie has a nice little post up “More Banking Stupidity: Phished by Visa:” Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s […]


Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.” Many of you are likely […]


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]


What Was Wrong With the Old FISA?

The Get FISA Right group is publicizing our need to re-think the laws. They have discussion going on on their site, as well as on The Daily Kos. I recommend catching up there, or reading Adam’s recent post here. I have to ask what was wrong with the old FISA? It wasn’t a bad system, […]


"A Scientific R&D Approach to Cyber Security"

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki). It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, […]


A few Heartland links

Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant. StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:” What’s exciting about this […]


Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past. Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost […]


Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”: The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable […]


Checking in on the Security of Chequing

I remember a conversation back in 1995 or 1996 with someone who described to me how the Automated ClearingHouse (ACH) for checking worked. He explained that once you had an ACH merchant account, you sent in a message of roughly the form (src, dest, amount, reason) and money got moved. I argued with him that […]


The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]


Regulations, Risk and the Meltdown

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we […]


Blaming the Victim, Yet Again

John Timmer of Ars Technica writes about how we ignore dialog boxes in, “Fake popup study sadly confirms most users are idiots.” The article reports that researchers at the Psychology Department of North Carolina State University created a number of fake dialog boxes had varying sorts of clues that they were not real dialog boxes, […]


Help fund historic computers at Bletchley Park

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen […]


Risk Managers Are Just Like Security People

Or is that vice-versa? A few weeks ago, Security Retentive posted about an article in the Economist: “Confessions of a Risk Manager”. Both his analysis and the original story are quite interesting and I encourage you to read them as well as a letter to the editor that was published in last week’s print edition […]


Signal Boosting Amrit Williams

File this under “Posts I Wish I’d Written”. Amrit Williams’ “ The 7 Greatest Ideas in Security,” really highlights a lot of my basic thoughts on how security should work. His conclusion sums things up cogently, but go read the entire post: Some may argue that something has been forgotten or that the order is […]


Write Keyloggers Professionally! has a job for you if you need some high-paid work — write a remote keylogger. Here are the project requirements: We need a keylogger that can be installed remotely. Description: The main purpose is that the user A can send an email with a program to install (example: a game or a funny […]


Privacy Enhancing Technologies and Threat Modeling

Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how […]


Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]


Putting the fun back in threat modeling

I have an article in the latest MSDN magazine, “Reinvigorate your threat modeling process:” My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable […]


Massive Coordinated Vendor Patch For DNS

Dan “Doxpara” Kaminsky today released information about a fundamental design flaw in the architecture of DNS which if properly exploited would allow a malicious party to impersonate any website they wanted to. This issue effects every single version of DNS. The flaw primarily effects the DNS server but it can also effect clients as well […]


On Banking Security

Dave Maynor comments: Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, […]


Study: Firefox patched quickest, IE a laggard

A new technical report out of ETH Zurich, Understanding the Web browser threat, should appeal to EC readers. The authors were granted access to the USER-AGENT information recorded globally by Google between January2007 and June 2008. By examining the first visit per day by each browser, the authors are able to determine which clients were […]


I’d bet on security prediction markets

In his own blog, Michael Cloppert writes: Adam, and readers from Emergent Chaos, provided some good feedback on this idea. Even though the general response is that this wouldn’t be a supportable approach, I appreciate the input! This helps me focus my research intentions on the most promising theories and technologies. I’m glad my readers […]


Science isn't about Checklists

Over at Zero in a Bit, Chris Eng has a post, “Art vs. Science“: A client chastised me once for making a statement that penetration testing is a mixture of art and science. He wanted to believe that it was completely scientific and could be distilled down to a checklist type approach. I explained that […]


Department of Justice on breach notice

There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification: Several bills now before Congress […]


Security Prediction Markets: theory & practice

There are a lot of great comments on the “Security Prediction Markets” post. There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction? Dan Guido said in a comment, “In security, […]


Messing with the RIAA and MPAA

Some very smart people at the University of Washington figured out how to leverage the bittorrent protocol to cause the RIAA and MPAA to generate takedown notices. From the website: * Practically any Internet user can be framed for copyright infringement today. By profiling copyright enforcement in the popular BitTorrent file sharing system, we were […]


Security Prediction Markets?

In our first open thread, Michael Cloppert asked: Considering the contributors to this blog often discuss security in terms of economics, I’m curious what you (and any readers educated on the topic) think about the utility of using prediction markets to forecast compromises. So I’m generally a big fan of markets. I think markets are, […]


CSO’s FUD Watch

“Introducing FUD Watch:” Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – […]


Sing it shrdlu

Over at Layer8, shrdlu lays it out there and tells us what it takes to appear to be effective: In all the initiatives I’ve rolled out in my (checkered) career, the ones that have gotten the most acclaim from my management have always been the ones that were most visible to the users. They turned […]


This May Be FUD

You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days. The gist of the article is that the Indian Government has told RIM that if […]


The Difference Between Knowledge and Wisdom

If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]


Jack Jones on Risk Management

I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.” I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen. The screenshot is from a […]


Hiring Fraudsters?

PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm. Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee […]


Security Metric?

Ross Anderson has made PDF versions of several chapters of his Security Engineering (second edition) available on-line. The entire first edition has been available for some time. I am sure this second edition will be outstanding. I would rank the first edition as one of the top three technical books I’ve read. It would likely […]


Congratulations to the CVE team!

The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a […]


User Friendly Gets It

In his inimitable way, Illiad has hi-lighted that the miscreants have moved from the operating system to the applications.


Threat Modeling Blog Series

Over on my work blog, I just wrapped up a series on threat modeling. Because blogs display the content backwards, I’ve put the entire series up as a Word doc: The Trouble With Threat Modeling. [Update: If you want to see all the threat modeling posts, they’re at Threat Modeling SDL blog posts. They’re displayed […]


Dubai banks hiring hackers (no word on if a drug test is needed)

Dubai, as Adam pointed out, is in something of a branding quandary. A hard line – some would say a retrograde and counterproductive line – on victimless crime doesn’t mix well with an image as a fun spot for the well-heeled. Meanwhile, there’s this (from Emirates Business 24-7, retrieved 2/21/2008): Dubai-based banks are recruiting former […]


Time To Rethink The Efficacy Of That Hard Drive Crypto

As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys. In it, they DRAM can be stripped (even after a full […]


Back in the ring to take another swing

Via Kable’s Government Computing, comes news that the British House of Lords “Science and Technology Committee has announced a follow-up inquiry to its ‘Personal Internet Security’ report”. Chair of the committee Lord Sutherland said: “The committee was disappointed with the government’s response to its report. We felt they had failed to address some of our […]


Computer Capers and Progress

We’re coming up on the 30th anniversary of the publication of “Computer Capers: Tales of electronic thievery, embezzlement, and fraud,” by Thomas Whiteside. What, might you ask, can we learn from a 30 year old text? Nothing has changed. Except, for some of the names. Donn Parker is in there, as are a melange of […]


A Cha-cha all the way to the bank

On the beaches of Mexico, they’re talking about Copacabana, a new cipher-cracker that works on DES and other ciphers with a 64-bit key. Yes, this has been done before, but this is interesting for a number of reasons. First is the price. About €9,000. Second, there’s the performance. A complete DES keyspace sweep in a […]


Adam’s Law of Perversity in Computer Security

Rybolov had an interesting comment on my post, “How taxing is it to read a tape?” He wrote about how hard it can be, and closed: I think the key is that it’s hard for the average person to read tapes if they found/stole them, but for a moderately-large organization/attacker, it’s possible. I think this […]


How dumb do we think spammers are?

Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”? Kudos to the first person who puts such a […]


TSA's insecure "Traveller Identity Verification" site slammed by Oversight Committee

First exposed nearly a year ago, by DIY boarding pass mastermind Chris Soghoian, a TSA web site intended to help travelers improperly recorded on watch lists has been slammed by a House Oversight and Government Reform Committee report: TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services […]


Vulnerability Disclosure Agents Part N

Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment: Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose […]



I have been playing with Splunk, for about 45 minutes. So far, I like it. I’ve previously been exposed to Arcsight, but what I have more of an affinity for psychologically is not so much a correlation engine, but a great visualization tool that automagically can grok log formats without making me write a hairy […]


Today's Free Advice from David Litchfield

Just because you can’t see it, doesn’t mean it’s not there. Also it doesn’t mean you can’t figure out what it is…. Much like traffic analysis what you show and how you show it, can reveal a lot about what is going on behind the scenes.


Beat To The Punch

Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and […]


Looking for a challenge? Life dull?

If you need a change in your life, consider this job posting: Title: IT Security Architecture Manager Needed Company: TJX Companies Location: Framingham, MA Skills: Very strong technical security background in both the mainframe and distributed environments. Term: Full Time Pay: DOE Length: Full Time Detail: TJX Companies is seeking an IT Security Architecture Manager […]


Making a Positive Impression With The Business

Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There’s some really good stuff here. Especially these two: Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into […]


Invasion Of The Password Snatchers

As I’ve mentioned in the past my wife is a linguistics professor. Yesterday she came home from work with the following poster. A little research revealed that it and several others were originally commissioned in 2005 by Indiana University as part of their security awareness program that they assembled for national cyber security awareness month. […]


When Hackers Don't Strike

Today the New York Times asks us: “Who Needs Hackers?” The article itself which discusses the recent outages at LAX and with Skype is fairly fluffy but has some great quotes which really cover the issues that we should be looking at as an industry. Security isn’t just about hackers, but about managing threats and […]


Evolve or Die

Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages […]


Steganography in the News

In Australia, Jeffrey Ismail has been convicted of “using a carriage service to menace, harass or offend” meaning using his mobile to coördinate reprisal attacks against a rival gang. Despite registering his phone under the name “John Gotti” and being careful enough to tell his “clerics” to “bring ‘ankshays’ and ‘atbays’” police recorded his calls […]


The first salami attack?

A salami attack is when you take a very small amount of money from an awful lot of accounts. The canonical example is a bank programmer depositing sub-cent amounts of interest in a special account. These rounding errors add up. I’m trying to find the first actual documented theft or attempted theft using this attack. […]


You can't spell "Really pointless flamefest" without R-O-I

Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people. EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing […]


Wretched Term of the Week: Best Practice

This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why: Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are […]


What If The Hokey Pokey Is What It's All About?

I’ve always thought that folks in operation security and product security had a whole lot to learn from each other. Unfortunately for the product security people, they now also get to learns about the pain of vendors swooping down on them trying to sell them the latest and greatest crap. Last night, Mary Ann Davidson […]


Whose Line Is It Anyway?

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether […]


Movie Plot Threat No Longer a Metaphor

Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.” On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how […]


893 Million, and Whadda Ya Get?

♫Another DHS network, and we’re not sharing yet.♫ So reports Haft of the Spear, in “You’ll Share and You’ll Like It!” The Homeland Security and Justice departments have spent $893 million on information-sharing networks in the last two years but still do not have effective networks in place, according to a report from the Government […]


.BadIdea, Mikko

Mikko Hypponen suggests in an article that’s getting a lot of press (“Masters of Their Domain“) that banks get their own domain space, ‘.bank.’ He argues that this would make phishing harder, and suggests we could charge banks a lot of money for the domains. I have three problems with this: Crooks are already investing […]


Encryption Is Security Theater

Last night I was talking with a certain analyst from a large company that we’ve all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and […]


Quantum Cryptography Cracked!

Nature reports that, “Simulation proves it’s possible to eavesdrop on super-secure encrypted messages.” A summary of the attack is that the attacker instigates a quantum entanglement of properties of the photons so that they can infer the information (encoded in polarization) by measuring the entangled property (like momentum). It isn’t a real attack, but as […]


Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention. Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you […]


"What security people won't share with each other"

Scott Blake has a really interesting 3-part podcast interview with Mike Murray. See Mike’s post, “it never ceases to amaze me what security people won’t share with each other,” and go understand why you should give Scott a demerit. (I’d meant to post this months ago, when Scott did the interview. Oops!)


Month of Owned Corporations

Richard Bejtlich points to a very dangerous trend in his TaoSecurity blog, the “Month of Owned Corporations“: Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest […]


From The "Wish I'd Posted That" Files

Gunnar (as usual) has a great post highlighting the lack of a real cohesive strategy in the security products arena and IT security teams losing site of the big picture. In particular, he highlights a comment from Andrew van der Stock about using SMS as an out of band authentication mechanism. Man I wish I’d […]


Disclosure Laws, State-by-State

Philip Alexander writes in Intelligent Enterprise about “Data Breach Notification Laws: A State-by-State Perspective.” The article is short and readable, and points to his new book, which is likely a good read.


Phriday Phish Blogging: Randomly Flagged

One of the things I really appreciate about phishing is that we pay people to discover the zeitgeist and share it with us. There’s little spam advertising fallout shelters or other ways to deal with the Red Menace. I rarely see advocacy about bimetallism in the currency in my inbox. We see what we see […]


How to Allocate Resources

The other day, I wrote: I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly. So here’s the experiment. It works better in person than in blog comments. Ask two experts to write down how they’d allocate […]


DoS == Vulnerability?

I think that a Denial of Service condition is a vulnerability, but lots of other people don’t. Last week Dave G. over at Matasano posted a seemingly very simple explanation that nicely sums up the way I’d always been taught to think about these sorts of issues: The ability to halt or shutdown most modern […]


Why BitLocker Won't Help Most Companies

A couple of weeks ago, Mike Rothman linked to an article by George Ou about using EFS and BitLocker under Vista. There he made an extraordinary claim: Since BitLocker won’t encrypt additional hard drive volumes, whether they’re logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes […]


From the Heresy Desk

Before Bruce Schneier started using the term, “Security Theatre” was a term I heard from what I call Real Security People. I was designing a security-oriented NOC, and I interviewed people who built secure sites for a couple of governments, banks, and others. They said that what The Adversary thinks you can do is more […]


Responsible Disclosure and Months of Bugs

I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW Research came at it from a different angle saying: I whole-heartedly back these projects as […]


More On Secure Banking

Continuing our tradition of bringing you the news before it’s fit to print, Chris covered “The Emperor’s New Security Indicators” in “Why Johnny Can’t Bank Safely.” Don’t miss Andrew Patrick’s “Commentary on Research on New Security Indicators,” Alan Schiffman’s “Not The Emperor’s New Security Studies,” or Alex’s “Bad Studies, Bad!” As an aside, Chris used […]


HIDing At Blackhat

Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag. Additionally, Nicole […]


Rootkit on a Stick

The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]


Blackhat Do It Again

Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it. Chris Paget a well respected researcher is going to present at Blackhat Federal […]


Not Selling But Marketing

As promised last week, I have more to say on selling security. Well sort of. Actually, I’m going to try a new approach. I’m increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need […]


More On Selling Security

Chandler says that “would rather be understood than perfect” in response to Mordax’s call to stop cutesy names for attacks. In doing so, he says: Second (and I know this has been mentioned elsewhere in the world), instead of talking about vulnerabilities within the Software Development Lifecycle, I just talk generically about them as a […]


Credentica Launches U-Prove

Montreal, QC (PRWEB) February 13, 2007 — Credentica , a Montreal-based provider of innovative security software for identity and access management, today announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is […]


Department of pre-blogging, II

A bit of background. Sun recently got hit with a 0-day that was 13 years in the making, by seemingly repeating a coding worst practice that bit AIX back in 1994 — trusting environment variables under the control of an attacker. A slightly more complex variant bit Solaris’ telnetd in 1995. From the advisory (NSFW) […]


Friday Phish Blogging: Bank of America

Today’s Friday Phish blogging comes to you pretending to be from Bank of America: It appears here in our system that you or a wrong person is usually trying to log into your account, in nine differnt occasions have you or (person) provided us a nearly correct answer to your site-key challenging question, of which […]


Is this idea feasible?

With all the reports of lost backup tapes, I wonder if it would be technically feasible to keep an eye on them using RFID tags. If a tape “tries to leave” a facility without having been pre-authorized, bells go off. If a tape can’t be found, there’s a record of where it was last detected […]


Information Security Needs

The NYT reports, “Rough Treatment for 2 Journalists in Pakistan” and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years. However, a computer was seized, sources were roughed up and possibly jailed or killed: Since then it […]


BenL on OpenID and Phishing

Ben Laurie (of Apache-SSL fame) posted a great analysis of a major design problem with OpenID calling it a “Phishing Heaven“. So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens. I had hoped that by constantly bringing this up […]


Security Through Obscurity, The Next Big Thing

PCMesh, a Canadian company, has something Better Than Encryption. Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, […]


New York Times on DRM

“Want an iPhone? Beware the iHandcuffs” says The New York Times in today’s edition of “Your Money”. Unfortunately it doesn’t really say much about the iPhone and crippleware beyond saying that it will be limited in music playing in effectively the iPod. However the article does a very nice job of covering the state of […]


Credit Card Data Over AOL IM

From the files of “too good to make up”, reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data […]


Full Disclosure == Torture

Or so says the Mogull over at Securosis. This particular section sums up my own feelings about the necessity of full disclosure quite well. I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be […]


Bay Area Security Incident Exercise

For those who are located in the SF Bay Area (or will be there on February 21st), the Silicon Valley ISSA Chapter is hosting a one day mock security incident exercise. The goal of the exercise is to explore how different organizations and industries must work together to respond to events based on their organizational […]


That’s Funny….

Over the last week, I’ve read several things involving poor Lind Weaver. In case you missed it, she’s a 57-year-old owner of a horse farm. She got a bill for the amputation of her right foot. As you should expect if you’re a regular reader here, it wasn’t her. Comic hijinks ensue which conclude with […]


Pragmatic Redux

Late on Friday night, Mike Rothman finally posted a response to some of my questions from last week. Most notably he reveals who the Mike in his “Ad” is: The answers are pretty straightforward. Mike, the Pragmatic CSO, is a fictional character. For those of you a little slow on the uptake, that means he […]


Joanna on Stealth Malware

Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on “Stealth malware – can good guys win?“. Unfortunately, I couldn’t make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought. [Image is Hypervisorus Blue Pillus from […]


The Pragmatic Reviewer

Today Mike Rothman launched his new book “The Pragmatic CSO” at the astounding price of $97. I took the plunge and downloaded the introduction and it isn’t half bad, but aside from a cute dialogue at the beginning it doesn’t really read differently than any number of other security books I have on my shelf. […]


The Price of Nothing and the Value of Everything

In the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version. I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally […]


Chip, Pin and Tetris

Saar Drimer and Steven Murdoch will be getting lumps of coal from the banking industry, and amused laughter from the rest of us: It is important to remember, however, that even perfect tamper resistance only ensures that the terminal will no longer be able to communicate with the bank once opened. It does not prevent […]


I’ll See Your Randomness, And Raise You a Protocol

In “Stellar Lavarand,” Ben Laurie writes: Some crazy people think they can make a business of this, only using the solar wind, the clouds of Venus, the Northern Lights, Jupiter’s shortwave emissions and other cosmic events as their random source. Just like lavarand, this causes a moment of “oooo, shiny”, rapidly followed by “but why […]


My Advice for the Pragmatic CSO

Mike Rothman writes: On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven’t read Gordon & […]


Infosec Incentives for People

So there’s been discussion here recently of how to motivate security professionals to do better on security. I think it’s also worthwhile to look at normal people. And conviniently, Bruce Schneier does so in his Wired column this month, “MySpace Passwords Aren’t So Dumb.” He looks at how MySpace users do in their passwords versus […]


When Security Collides With Engineering (Responsible Disclosure Redux)

Stefan Esser announced earlier this week that he was retiring from citing irreconcilable differences with the PHP group on how to respond to security issues within PHP. Of particular interest is that he will be making changes to how he handles security advisories for PHP (emphasis mine): For the ordinary PHP user this means […]


Cost-Benefits, Incentives, and Knowing What to Do

Adam quoted some interesting thinking about infosec incentives. However, I’m not sure it’s that simple. Gordon and Loeb say that you shouldn’t spend more than 37% of an expected loss. However, at last summer’s WEIS (Workshop on the Economics of Information Security), Jan Willemson published a paper, “On the Gordon & Loeb Model for Information […]


Wikid cool thinking on Infosec incentives

First, assume that you believe, as discussed in Gordon & Loeb’s book Managing Cybersecurity Resources: A Cost-Benefit Analysis and discussed here that an organization should spend no more than 37% of their expected loss on information security. Second, assume that you agree with the Ponemon Institute on the cost of business data breaches: $182 per […]


Fanning the flames, security metrics style

Amidst the to and fro over insider v. outsider threats, whether security metrics can be “gamed”, and so on, and in recognition of the best buddies that security geeks and economists have now become, I offer the following.  The saying often quoted from Lord Kelvin (though the substance, I believe, ismuch older) that “where you […]


Halvar on Vulnerability Economics

Back in July, I wrote: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting […]


Selling Security?

Last week, Martin McKeay responded to RaviC’s thougthful discussion of security as a core competence by saying: I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident […]


On Awareness

Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness. It is very in vogue to say that user education must be eradicated, will never work and is one of the dumbest ideas in […]


Guidance Software, Evidence and Software Provenance

So Chris beat me to the mocking of Guidance Software. I was going to do that, and then ask about the software that they produce, and its heavy use in legal proceedings. If your corporate network is full of hackers, what does that say about the admissibility of the output of your software? There’s also […]


Vulnerability Game Theory

So a few days ago, I attended the Vista RTM party. I spent time hanging out with some of the pen testers, and they were surprised that no one had dropped 0day on us yet. These folks did a great job, but we all know that software is never perfect, and that there are things […]


Mike Howard beats me to the punch

His posts on “Microsoft hosts OEM partners for a crash-course in SDL (Day Two)” and “Microsoft hosts OEM partners for a crash-course in SDL (Day Three)” cover much of what I wanted to say: My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very […]


Talking to OEMs

My co-worker Mike Howard posted “Microsoft hosts OEM partners for a crash-course in SDL (Day One)” As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for […]


Giant Waves

Chandler Howell has a great post about giant waves. He quotes extensively from “Monster Rogue Waves” at Damninteresting: More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected […]


Risk Management Redux

Earlier this week, Mike Rothman took a swipe at Alex Hutton’s What Risk Management Isn’t by saying: But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall […]


Contactless Credit Cards Cracked

Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and […]


Use The Logo Luke

“Decaf” over on DeadBeefCafe, relates the story of a colleague whose response to yet another virus outbreak is to convince management to purchase Macintoshes, with the following justification: We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems. Decaf breaks down the several fallacies of this […]


A Picture (or Three) Is Worth A Thousand Words

Iang over at Financial Cryptography talks about the importance of not just which cryptographic algorithm to use, but which mode it is implemented with. He uses three pictures from Mark Pustilnik’s paper “Documenting And Evaluating The Security Guarantees Of Your Apps” that are such a great illustration of the problem, that I have to include […]


Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach

I’m pretty excited that an article, “Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach” is in the November MSDN magazine. The theme of the magazine is “Security Fundamentals.” The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I’m happy […]


Certification Shmertification

So it seems that certifications are again in the press. This time over at SC Magazine. Last month, SC ran “Does testing matter?“. I say ran as opposed to ask, because really the article was a page long advertisement for the various certifications with most of the quotes being from the various organizations who sponsor […]


Do Kings Play Chess on Folding Glass Stools?

Over at the OSVDB blog, blogauthor writes: On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software […]


2006 Underhanded C Contest

long unsigned int maxwordsize(char *inputFromStdIn) { long unsigned int tmpwordsize=0,maxword=1,i; for (i=0; i


Extra! Extra! Read Nothing About It! (Latest on Apple V. Maynor)

In “SecureWorks Backs Out of Macbook Demo,” Brian Krebs writes: David Maynor, the SecureWorks researcher who was set to demonstrate how wireless driver flaws could be used to compromise an Apple Mac laptop, suddenly has been yanked from the ranks of Toorcon presenters. At around 12:50 p.m. PT, SecureWorks issued the following press release: “SecureWorks […]


TRUSTing Mary Ann Davidson

Yesterday, Mary Ann Davidson had a fascinating post about the classics of Western literature. As usual for Mary Ann, the apparent basis of the post is really just exposition for her main point. In this case, the thrust of her post is the need for developers to have more training in secure coding at the […]


Ed Felten's Testimony

Ed Felten, who has been doing research into security issues with Diebold’s voting machines, is testifying today at a House Administration Committee hearing. He’s posted his written testimony on his website. Check it out. [Edit: Corrected the spelling of Ed’s name.]


U.S. versus E.U. Audits

Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular: […]


This Post Brought to You By The Number 3, and The Letters and S and L

There’s a fascinating discussion of the intersection of cryptanalysis, specification and flexibility, all of it stemming from yet another SSL attack by Bleichenbacher. The best posts are over at Matasano: Many RSA Signatures May Be Forgeable In OpenSSL and Elsewhere Mozilla Falls to RSA Forgery Attack RSA Signature Forgery Explained (with Nate Lawson) – Part […]


Congratulations to Mozilla

EWeek has the story: Window Snyder has joined Mozilla as Security Chief. Congratulations all around. PS: Just when Window and I were gonna live in the same city, again, too. Bugger. PPS: Apparently, it’s from Mike Schroepfer’s blog post.


On The Curious Incident Lately in Apple v. Maynor and Ellch

So John Gruber, who has written quite a bit on the whole did-they-didn’t-they spat between Apple and Dave Maynor and Jon Ellch, offers up “An Open Challenge to David Maynor and Jon Ellch,” offering them a Macbook if they can root it. I’d like to mention something that hasn’t happened lately. By not happening, it […]


Mangle those cell phones?

OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was […]


Outsiders! Insiders! Let's call the whole thing off.

I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction. I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments […]


"Faux" Disclosure

I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says: Full disclosure is the only thing that forces […]


Ryan Russel, A Sample Please

Over at the Open Source Vulnerability Database blog, we learn that Ryan Russel has won the “Oldest Vulnerability Contest.” It is in the interests of science that I ask how Mr. Russel was able to come from behind like this. And much as I like and respect Mr. Russel, it’s quite a last minute leap […]


Performing Code Reviews

My co-worker Mike Howard has a really good article on “A Process for Performing Security Code Reviews” in IEEE Security & Privacy. It’s chock full of useful advice.


Attack of the Clones?

EKR is the voice of reason when he points out that of course RFID passports are clonable, when he responds to all the press brouhaha about, Lukas Grunwald’s demonstration at Black Hat showing that an RFID passport can be duplicated using off the shelf parts. This outcome is hardly surprising, this is yet another side […]


So, this, ummm, friend of mine, umm has a problem with security

In a comment on “Drowning In Notices,” Phill Hallam-Baker writes: My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them. I don’t think people should be more embarrassed about […]


The Down Side of "Strong" Authentication

Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor […]


Yet Another Coding Standard?

Over at Matasano, Tom Ptacek skewers the new CERT Secure Programming Standard by asking: Do We Need an ISO Secure Coding Standard?. The entire article is well worth reading, but it sums up nicely with this: There are already a myriad of good sources of information about secure programming, including books targeted specifically to developers […]


It's Getting Worse All The Time?

So there’s a post over at F-Secure’s blog: There’s a growing trend here. We’ve been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money – not make attention. So as a malware author, if […]


On Provable Security

Eric Rescorla writes: Koblitz and Menezes are at it again. Back in 2004, they published Another Look at “Provable Security” arguing that the reduction proofs that are de rigeur for new cryptosystems don’t add much security value. (See here for a summary.) Last week, K&M returned to the topic with Another Look at “Provable Security” […]


"Privacy" International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying: “I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the […]


Meet the Bugles

Check out Bugle, a collection of google searches that look for known general classes of vulnerabilities in source code such as buffer overflows and format string issues. The list is far from complete and is no replacement for real static analysis but will should get you a lot of low hanging fruit. [Via FIRST News.]


I smell a movement

No, not that kind, silly. I just read over at Bejtlich’s blog, that he has decided to start NoVA Sec, having been inspired by Chisec, which was begun by Matasano honcho Thomas Ptacek. ChiSec is fun, and has been rapidly imitated by other Matasano folks, yielding Seasec and NYsec (I’m hoping it will go next […]


Buggy Advice from Adam

So in the “Code Review Guidelines” which I wrote a long time back, I quote a bit of code by Peter Guttmann, on how to open a file securely. Last week, Ilja van Sprundel got in touch with me, and said that the lstat/open/fstat chain is insecure, because you can recycle inodes by creating a […]


Actual Data Sharing!

Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity, which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it. Thanks […]


Job Hunting for Security Executives

Like everyone, there comes a time in every CSOs career where they need to look for a new job. I’ve reached that point in my career and in looking around, I’ve run into several challenges. The first problem I’ve found is that there are a lot of different titles for the person who owns all […]


gcc -Wall -WeReallyMeanIt

Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that […]


A Few More Thoughts on Disclosure

Reading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues […]


What Me Data Share?

I completely have to support Chris in his analysis of the latest CSI/FBI Survey. He sums it up nicely with: “there is no reason to give this survey any credence.” The survey, does an excellent job of highlighting a general problem within the security industry, the sharing of data. If we’re to make real progress […]


Gartner to Google: Learn to read minds

Concerning a school district which misconfigured its web server and wound up posting student social security numbers for all — including Google’s spiders — to see, Gartner’s Avivah Litan weighs in: They say the Internet is free and open, and you can’t stop them,” Litan said. “But they ought to scrutinize some of the content […]


Sitting on the Fence

Last week Dan Gillmor talked about Verisign’s monopoly wishes, stating: This deal would be great for VeriSign, but terrible for the marketplace. It would consolidate one company’s control over an essential part of the Internet infrastructure. Is the sky falling? I don’t think so. This sounds a whole lot like before GeoTrust was launched. GeoTrust […]


Vulnerability Markets: Under a Cloud

After some great conversation with Ryan Russell in the comments to “Economics of Vulnerabilities: Markets,” I saw Pascal Meunier’s “Reporting Vulnerabilities is for the Brave:” So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for […]


Economics of Vulnerabilities

Lately, I’ve been playing with an idea. Work by both Microsoft and certain open source projects has made finding and exploiting vulnerabilities in their code substantially harder. So, the effort needed to find a vulnerability has gone up. The effort needed to build a working exploit has gone up. Thus, the willingness of a vulnerability […]


DaveG On Apple Security Advisory

So if you have a Mac, you really want to open software update now. You can read about Apple Security Update 2006-0003 after you’ve installed it and the Quicktime patch. In “Apple Security Update RoundUp,” DaveG explains: So, in short, without the latest update, OS X is secure as long as you don’t look at […]


Apple’s Message

Over at Security Curve, Ed Moyle has some good thoughts on “the Gigantic ‘Bull’s Eye’ on Apple’s Forehead:” Now, I don’t know about you but I haven’t seen this kind of hubris since Oracle’s “unbreakable” campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much […]


Boarding Passes, Privacy, and Threat Models

There’s a great article in the Guardian, “Q. What could a boarding pass tell an identity fraudster about you? A. Way too much:” This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing […]


Automated code scanners do have their uses

Slashdot is carrying the story of a rather large bug find in the X11 code. Judging by the patch, it looks like the problem was due to a lack of caffeine: if (getuid() == 0 || geteuid != 0) The OpenBSD code auditors seem to have found this one independently: This is one of those […]


Security Development Lifecycle, the Book

Michael Howard announces the imminent availability of his new book, “The Security Development Lifecycle” by Michael Howard and Steve Lipner: This time the book documents the Security Development Lifecycle (SDL), a process that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to […]


High Assurance Certificates and the Fake NEC

So I’ve seen the story in a bunch of places, but something about Bruce Schneier’s posting on “Counterfeiting an Entire Company” made me think about certificates, and the green URL bar. In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – […]


Time to Patch

Brian Krebs has a long article, “Time To Patch III: Apple,” examining how long it takes Apple to ship security fixes: Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I’d like to present some data I compiled that looks […]


Internet Explorer Flaw, Transparency, and App Compat

“After IE Attacks, Microsoft Eyes Security Betas” is by Al Sacco at CSOOnline. He has a lot of good orientation and background. Then take a look at Mike Reavy’s “Third party solutions to the Internet Explorer CreateTextRange vulnerability.” Mike runs MSRC, and it’s a pleasant surprise to see him acknowledging customer fears with a post […]


Matt Murphy on Microsoft & Transparency

Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s […]


Microsoft and Rootkits

Earlier this week, there was a story “Microsoft Says Recovery from Malware Becoming Impossible.” I’m not sure why this is news: Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel […]


Congratulations, Professor Ian!

I’m very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that’s all too rare. […]


Sprint "Security"

So the other day, I called up Sprint, my illustrious cell phone provider, to make some changes to my service plan. The very nice agent asked me to identify myself with either the last 4 digits of my SSN or my password. Now, I’ve never set up a password for use over the phone and […]


Virtual Machine Rootkits

Eweek covers a paper (“SubVirt: Implementing malware with virtual machines“) coming out of Microsoft and UMichigan in “ VM Rootkits: The Next Big Threat?. Joanna Rutkowska gives some thoughts in a post to Daily Dave, “redpill vs. Microsoft rootkit….” My take is its good to see Microsoft working on this sort of research, and thinking […]


Reflections on the Microsoft CSO Summit

Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit. This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various […]


Private Thoughts on Blue Hat

As I mentioned, I was out at Microsoft’s Blue Hat conference last week. As it was a private event, speakers’ names are being kept private right now. I’m all in favor of privacy. Unfortunately, that makes it hard to properly attribute this bit of genius: 1 bottle of beer on the wall, 1 bottle of […]


SSL Survey over at Matasano

Jeremy Rauch over at Matasano is running a survey on how companies are using HTTPS/SSL. I encourage you to go there resond. My answers are below the cut.


On Computers and Irony

I’ve been saying for a while that destroying information has an ironic tendency: While it’s quite hard to really destroy data on a computer when you want to, (for example, “Hard-Disk Risk“) it’s quite easy to lose the data by accident. Similarly, while it’s quite hard to make code that runs and does what you […]


How Much Does A Firewall Reduce Your Risk?

In a recent post, “The Future Belongs To The Quants,” Chris suggests that risk mitigations must be quantifiable. My post “In The Future, Everyone Will Be Audited for 20 Years,” lists what the FTC is requiring for risk mitigation. It seems none of it is quantifiable. Chris?       (Incidentally, I think this iptables […]



Consulting firms are interesting beasts. Often, they are able to make great changes in their clients’ organizations, perhaps not so much because their people are smarter, or even more knowledgable, but because they aren’t subject to the same incentives (pecuniary and otherwise) that client employees face.


Subject: Attention! Several VISA Credit Card bases have been LOST!

You know breaches are reaching the public consciousness when spammers use them to make money. I got this in email yesterday, along with a URL that I don’t feel like linking. Banks would do really well to send less email with the words “click here,” and more saying “visit our site using a bookmark.” Good […]


In The Future, Everyone Will be Audited for 20 Years (CardSystems Analysis)

In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an […]


Safari Users: Don't Open "Safe" files after downloading

Go to preferences, general, and un-select that box. From “Apple Safari Browser Automatically Executes Shell Scripts,” via SANS and Eric Rescorla. Don’t miss Peter da Silva’s comment on Eric’s post. Eric, how do you get such good comments?


Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth. OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333. Via F-Secure. I feel weird linking […]


LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits: 6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder 6b) If your uid != 0 […]


Free advice for merchants accepting payment cards

3. Protect Stored Data 3.1 Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Do not store sensitive authentication data subsequent to authorization (not […]


Tools and Secure Code

Mike Howard (and company) have a great post about why “Code Scanning Tools Do Not Make Software Secure:” Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect. If a developer does not know how to […]


New OpenSSH, with nifty feature

OpenSSH 4.3 is out. It has one new feature: Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN between the client and server providing real network connectivity at layer 2 or […]


Sports Authority in another Point-of-Sale data retention SNAFU?

I posted this to the Dataloss list earlier today. Sports Authority Inc. confirmed this week that it recently launched an investigation into its information system after four international banks alerted it to a potential intrusion into its network in December. With help from the Secret Service and Cybertrust Inc., the sporting goods company determined that […]


Swire on Disclosure, Redux

Following on Chris’s post on disclosure, I’ve been meaning to mention Peter Swire’s “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies:” A previous article proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than […]


The following is not to be construed as legal advice. Or anything else.

The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World’s September 2005 issue, that I happened to run across. In it, Mr. Rianda, esq., discusses his view of why the breaches we are all […]


Redaction Is Harder Than Public Speaking

Did you ever have one of those days where you had a great, totally unfair pot shot to sling at Microsoft, and events just overtake your plans? It started out when I watched the videos of “Blue Hat 2005 – Security Researchers come to MS, Part I.” Now, I have some insight into the training […]


Breach disclosure insurance

A common argument used against state-level breach notification laws, and in favor of federal legislation overriding state laws, is that existence of these numerous state laws with their differing requirements and conditions raises the cost of compliance unacceptably. Just to be prepared to comply with potentially fifty distinct notification regimes, a firm would need to […]


On Disclosure

In comments on “Bank of America Customers Under Attack,” Options Scalper writes: I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud […]


Introducing Debix

I’m at Black Hat Federal this week, helping introduce Debix. Of all the systems that I’ve heard about to combat identity theft, Debix’s stands far above the crowd, which is why I’ve joined their advisory board: In the physical world, we have the ability to place locks on everything from cars to safety deposit boxes […]


Two On Vulnerability Disclosure

Ed Moyle has a very good post, “Inside Oracle’s Patch Kimono,” in which he compares Oracle’s process for working with vulnerability researchers with that of Microsoft. I’d like to add two really small bits: First, I’d have compared to the (MS-dominated) Organization for Internet Safety, and second, all of these put insufficient value on secondary […]


Bank of America Customers Under Attack

The Seattle Post Intelligencer asa story, “B of A Customers Hit By Thefts,” about cash withdrawals being made overseas: According to customer service representatives at Bank of America, there have been numerous reports of checking account fraud in Seattle, but many more incidents being reported from other states. The increases in fraud reports are generally […]


Happy Birthday, CVE!

The sixth presentation was based on a paper titled “Towards a Common Enumeration of Vulnerabilities” by David E. Mann and Steven M. Christey from the MITRE Corporation. This presentation also generated considerable interest from the audience. They tackled the problem of dealing with several heterogeneous vulnerability databases and presented the Common Vulnerability Enumeration (CVE) mechanism […]


Known unknowns?

Oracle has just released fixes for 82 vulnerabilities. After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security […]


BSD Kernel Stack Overflow

An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. From the FreeBSD Advisory. Researcher advisory is at No word yet on if Macs are vulnerable. I think Richard at TaoSecurity sums it up well: […]


Brokerage account zero liability

E*Trade is implementing a program under which it will reimburse on-line fraud victims for their losses, according to a New York Times report This is an interesting step. Now the question is whether investors who prefer to use their pet’s name as a password will shift their accounts to E*Trade :^)


Quicktime WMF like Vulns on OSX and Windows

The folks at eEye and Fortinet have identified a variety of image based heap overflows that allow for arbitrary code execution on both OSX and on Windows. Also an article on claims that the patch initially caused some issues for some users on both platforms, that have been addressed now. Seems that poor implementation […]


Bug Scrubs and Learning From Mistakes

There’s a story at CNet, “Microsoft to hunt for new species of Windows bug:” Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products. Now, its’s easy to kick Microsoft for not having perfect code, […]


SubDomain GPL'd

AppArmor, the security tool formerly known as SubDomain, has been released under the GPL by Novell. See the Apparmor FAQ or the CNET story, “Novell delivers security shield for Linux computers.” If you need another layer of resilience for your Linux systems, take a look.


Device ID and Privacy

Unique, hardcoded device IDs are bad for privacy. We hate them. Our friends hate them. So its nice to see that Microsoft is making it harder to get to them: GetDeviceUniqueID attempts to address these issues and to reduce applications dependency on the precious device id. Firstly GetDeviceUniqueID can be called from the trusted or […]


"High Assurance" Certificates

Following up on previous posts on the concept of high assurance certificates (“Web Certificate Economics“), I’d like to draw attention to a CSOOnline blog post, “Phishers Now Targetting SSL:” The spoofing has taken a number of forms, which appear to be becoming highly sophisticated. They vary from exploiting browser flaws, to hacking legitimate sites or […]


Brilliant Evil Redux

Following up with further conspiracy theory on Adam’s post, I also have to wonder just how accidental it was that a properly cryptographically signed version of the patch for WinXP was “posted to a community site” yesterday. Given the pressure to quickly product a patch combined with the one produced by Ilfak Guilfanov, it wouldn’t […]


WMF Patch Timing: Brilliantly Evil?

If you’ve followed the “WMF Vulnerability” that’s been all over the security blogosphere, with leaks into the mainstream media, then you know that today Microsoft released a patch. (If you don’t know this, please just go run Windows update.) I haven’t talked about it because I haven’t had much to add, but today’s release of […]


Security Stickers

Today I received a great add for a newish security company, Devicewall. They are yet another company providing a solution for prevention of intellectual property theft. They sent me a stack of humorous stickers saying things like: “This Computer is Protected by BRSD Technology. Big Red Sticker of Doom technology leverages our natural fear of […]


Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict […]


How To Train Users

[Update: I had accidentally linked an out of stock edition on Amazon. The new link has copies in stock.] Part of me thinks that training users is a cop-out. It’s a way for the technology industry to evade responsibility for the insecurity of their products, and blame customers for manufacturers’ failings. At the same time, […]


Merry Chrisma EXEC!

(I got it from Mikko at F-Secure. If you don’t understand, click here.)


Florida workers claim outsourced HR system reveals PII, lacks audit trail

The Tallahassee Democrat reports on an interesting disclosure instance: whistleblowers revealing allegedly shoddy data security practices at their former employer. The twist is that those doing the talking are not the folks whose jobs were outsourced, but former employees of the outsourcing firm. From the article: In an affidavit taken for a lawsuit by five […]


More on Snow's Assurance Paper

This is a followup to Gunnar Peterson’s comments on “Epstein, Snow and Flake: Three Views of Software Security.” His comments are in an update to the original post, “The Road to Assurance:” None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, […]


It's Chaos Out There!

In “Play Break,” Hilzoy writes: Here’s what it’s about: as most parents know, little boys tend to be more interested in toys like trucks, and little girls in toys like dolls. (I was an exception: someone gave me a doll once, and I dissected it.) There is no obvious way to decide whether this is […]


Epstein, Snow and Flake: Three Views of Software Security

Among those who understand that software is, almost without exception, full of security holes, there are at least three major orientations. I’ve recently seen three articles, all of which I wanted to talk about, but before I do I should explain how I’m using the word orientation, and the connotations it carries. As used by […]


OSVDB Needs Programmers

The Open Source Vulnerability DataBase (OSVDB) is in need of additional programmers. If you’re not familiar with it because you’ve been hiding in a cave somewhere, OSVDB is a tremendous project that dramatically enhances the quality and availability of vulnerability information. Today, they posted a teaser, “OSVDB is Closing:” That said, OSVDB could substantially benefit […]


Friday Star Wars: Open Design

This week and next are the two posts which inspired me to use Star Wars to illustrate Saltzer and Schroeder’s design principles. (More on that in the first post of the series, Star Wars: Economy Of Mechanism.) This week, we look at the principle of Open Design: Open design: The design should not be secret. […]


White Wolf, Unknown number of Passwords, Hackers

The game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks. Dear White Wolf Users, Like many other well-known companies of the last few years, White Wolf was […]

Via Bejtlich, I learned that SANS is now offering degree programs. I have not been able to determine whether they are an accredited institution of higher learning, however.


Web Certificate Economics

In a comment on “Build Irony In,” “Frank Hecker writes:” First, note that the “invalid certificate” message when connecting to using Safari is *not* because the certificate is from an unknown CA (or no CA at all); it’s because the certificate is issued to the server/domain (note the dash) and thus doesn’t match […]


Passwords: Lessons for Japan Airlines from Harry Potter

This is weak authentication in all its glory. The password is shared by every member of a House. It is a static password, changed annually. Moreover, the fat lady’s password challenge never asks students for identity. I cannot recall any incident where a house ghost barred entrance to a student because he was a member […]


0Day on Ebay

“Brand new Microsoft Excel Vulnerability:” The lot: One 0-day Microsoft Excel Vulnerability Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It […]


Muffett on Passwords

In “OpenSolaris, Pluggable Crypt, and the SunMD5 Password Hash Algorithm,” Alec Muffett writes: Several years ago now, Darren Moffat, Casper Dik and I started swapping e-mail about how pathetic it was to still be using the traditional 8-character-password unix crypt() routine in Solaris, and how we could architect something to be much better. You’d have […]


Hey, Look, It's Matasano!

Tom Ptacek’s blog is full of smart people introducing themselves, and their new company, Matasano. They’re talking about the new mix, which is to be consultants while you build your startup and look for funding. I hope that Window, Dave, and Jeremy all get the blogging bug. Heck, I hope Dino does too, because with […]


Build Irony In

Secure operation of a site is hard. Really, I’m not looking to pick on CERT. They’re doing some very good work, and Build Security In is important. At the same time, this message is only appearing because SSL certificates are focused on identity, and that identity needs to be “rooted” at a certificate authority. That […]


DMCA vs. Security Research

Last month, I commented on how the DMCA was preventing research on spyware: …the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when […]


Web Browser Developers Work Together on Security

Adam’s post earlier today on efforts to improve browser security, reminded me about this post on George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines: […]


Meet The New Browser Security, Same as the Old Browser Security?

There’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which […]


Books: "Innocent Code" and "19 Deadly Sins"

I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out […]


A great idea whose time has come

Ben Edelman explains how Sony can use a messaging mechanism already built into the XCP system to inform people who are not yet aware of the “Sony rootkit” they’ve unwittingly installed, and what they can do about it. This is so obviously the right thing to do that I can almost guarantee Sony will not […]


Star Wars and the Principle of Least Privilege

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of least privilege: Least privilege: Every program and every user of the system should operate using the least set of privileges necessary […]


ex-MI5 Head: ID Cards are a Bogus National Security Measure

Dame Stella Rimington has said most documents could be forged and this would render ID cards “useless”. “But I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards. From the BBC, “Ex-MI5 chief sparks ID card row.” Normally, a “row” requires two sides, with arguments. […]


Sony's Rootkit and the DMCA

Bruce Schneier has a good article [on his blog and] in Wired this morning, “Real Story of the Rogue Rootkit.” One aspect of the whole Sony story that’s not getting a lot of play is why we don’t see more of these things. Is Sony unique in their callous disregard of their customers, or are […]


Industry to Customers: "You're Reckless and Apathetic"

It’s a long standing “joke” that only drug dealers and the computer industry call their customers “users.” But at least drug dealers pretend that your behavior is ok. Not so the Universities educating our next generation of programmers, such as Carnegie Mellon. Their student news source, the Tartan, reports in “Study shows students cause computer […]


Epic Problems With Phone Privacy

In the cover story of next week’s Maclean’s magazine, Jonathon Gatehouse reports that he successfully obtained the phone records of Canadian Privacy Commissioner Jennifer Stoddart: …Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office — detailed lists of the phone calls made from her […]


Unintended Consquences of Blackhat '05

(by arthur) I’m back from travels, so it’s time to post some more…. As Adam just posted, Jeff Moss sold Blackhat to CMP Media. Presumably, this sale is partially (largely?) a result of the various lawsuits that Blackhat was dealing with as fallout of “Cisco-gate”. Fortunately, these were recently settled in an equitable fashion, but […]


BlackHat Pwned!

MANHASSET, N.Y., Nov. 15 /PRNewswire/ — CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and […]


568,200 DNS servers Know Sony

Dan Kaminsky has done some digging into the Sony rootkit: It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows…unsurprisingly, they are not particularly communicative. But at that scale, it doesn’t take much to make this a […]


NISCC Does It Their Way: Poorly

A post by Paul Wouters to the DailyDave list drew attention to “Vendor response of the Openswan project” to “NISCC Vulnerability Advisory 273756/NISCC/ISAKMP.” I feel like its 1997 again. The Oulu University Secure Programming Group (OUSPG) discovered a number of flaws with the ISAKMP/IKE portions of the IPSec protocols. OUSPG built a tool, and either […]


Friday Star Wars and the Principle of Complete Mediation

This week in Friday Star Wars Security Blogging, we examine the principle of Complete Mediation: Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes […]


Preserving the Internet Channel Against Phishing, Part 2

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it […]


Kudos to Microsoft, Brick-brats to Apple

MS05-038 and MS05-052 contain a number of defense-in-depth changes to the overall functionality of Internet Explorer. These changes were done mostly for security reasons, removing potentionally unsafe functionality and making changes to how Internet Explorer handles ActiveX controls. As a result of these changes that we made for security sake, for a limited amount of […]


Digital Pearl Harbor

[U]se of commercial products with unbreakable cryptography could seriously undermine the ability of law enforcement to perform critical missions such as protecting against threats posed by terrorists, organized crime, and foreign intelligence agents This from a rather lightweight report prepared by the Congressional Research Service. I may have read it with a jaundiced eye, but […]


The Approaching Apple OSX86 Security Nightmare

In the midst of an excellent long article on how the Wine Windows emulation layer will interact with OSX86, (“I invite you to wine“), Wil Shipley writes: When you can run Windows apps on Mac OS X, you’ll still be protected by Mac OS X. Viruses are going to be dead. D-E-D. Ok, yes, there […]


Macromedia Flash Critical Update

There’s apparently a critical flaw in Macromedia Flash 7. (You know, the software that plays annoying ads in your browser?) This affects at least PCs and Macs. Macromedia’s advisory is here. eeye has an advisory which makes it sound like a PC-only issue. Sec-Consult has published POC code. It’s unclear to me why, 130 days […]


Business Process Hacking

Business process hacking is the act of using weaknesses in the way an application is exposed to garner information or break in. Recent examples include the ChoicePoint and Lexis-Nexis attacks. Here is a new one. A couple of young traders at an Estonion bank got a Businesswire account and proceeded to dig around until they […]


We want it all, and we want it now

Bob Sullivan provided excellent “mainstream media” ChoicePoint coverage, and is doing some good blogging about breach legislation. From the blog post cited above, it’s clear that Sullivan considers the Act in question to be nigh-on to a total cave-in to industry. That things would have taken this turn is not surprising, but is nonetheless somewhat […]


Hashes: The High Cost of Deployment

Thanks for great intro Adam!. Steven Bellovin and Eric Rescorla recently released a paper, “Deploying a New Hash Algorithm.” This is a great analysis of both the operational and protocol issues with changing which hash algorithms get used by various security protocols. For instance, S/MIME has no real mechanism for negotiating which hashes (and this […]


Joseph Ansanelli, Brad Smith on Privacy Law

The [Stearns] bill would also require companies to notify not just consumers of a breach, but also the F.T.C., which would then be permitted to audit the company’s security program. “But it needs better enforcement language,” said Joseph Ansanelli, the chief executive and co-founder of Vontu, an information security company in California, who has frequently […]


Speaking Of Worms

Following up on Chris’s worm post, Red Database Security has an advisory on an Oracle worm. On 31-october 2005 an anonymous poster ( released a proof-of-concept PL/SQL source code of an Oracle worm on the full disclosure mailing list. The worm is using the utl_tcp package to find other Oracle databases in the same subnet […]


Sony, Respecting Their Customer

Over at Sysinternals, Mark posts “Sony, Rootkits and Digital Rights Management Gone Too Far.” [Update: If that doesn’t work, try Sysinternals Blog; when I checked, it was the first post.] If you’re at all technical, read it closely. If you’re not, you should at least skim it. The story is that Mark (who knows more […]


Porsches make you healthy

Well, I don’t know that for sure. But I am pretty sure that Porsche owners overall are healthier than those who don’t own Porsches. Maybe you have to control for age. Similarly, it seems that being a customer of certain companies apparently somehow causes less nastiness to befall ones computing infrastructure. Jaquith handily, yet unwittingly, […]


Quick pointer to virtual worminess

If Nick Weaver and Jose Nazario are writing about it, it’s probably way over my head, or interesting, or both. I am happy to say this is in the second category.


Check images increase forgery and ID theft risks?

The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, “The Tech Scene: Check Images A New Frontier For Forgery?” The overall point is that since banks store check images and provide […]


Dog bites man really is boring

Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000. Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada. Alternative headlines […]


Code/Data Separation

As I mentioned in my “Blue Hat Report,” I want to expand on one of my answers I gave to a question there. My answer involved better separation of code and data. I’ve since found, in talking to a variety of folks, that the concept is not so obvious as it seems to me. The […]


Counting In Computer Security

Last week in “Notes from the Security Road,” Mike Nash wrote: My favorite moment on the trip — which actually resulted in my circumnavigating the entire globe in just a week — was when we illustrated the difference in the number of vulnerabilities in Windows Server 2003 compared to its competitive product, Red Hat Enterprise […]


Business lobbies engage in rent-seeking. Masses not moved. Film at 11.

Various data protection bills to be consolidated? [P]ressure to act isn’t coming from the public clamoring for protection of their private information, it is coming from the business community that fears 50 different state laws. In many ways this improves the chances for a new federal law, because while the onslaught of data breach stories […]


How Not To Train Users

To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them. […]


Adding Silent Insult to Injury (Senator Sessions' "privacy" act)

I just skimmed the Sessions’ bill which Chris linked to. It has a great provision for allowing the fox to not only guard the henhouse, but also to control the alarm system: 3(b)(1)(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a […]


The hand is quicker than the eye

Arlen Specter and Pat Leahy have proposed the “Personal Data Privacy and Security Act of 2005“. This is a comprehensive proposal, and is opposed big-time by various industry lobbies. As reported in the October 21, 2005 American Banker, this bill has hit a snag, and is languishing in Committee. Meanwhile, another bill, courtesy of Jeff […]


Critical Map of Alaska Disappears

‘There is a Party slogan dealing with the control of the past,’ [O’Brien] said. ‘Repeat it, if you please.’ ‘”Who controls the past controls the future: who controls the present controls the past,”‘ repeated Winston obediently. ‘”Who controls the present controls the past,”‘ said O’Brien, nodding his head with slow approval. ‘Is it your opinion, […]


Snotty Worm Coming?

Posted by Adam Richard Bejtlich predicts that the Snort network monitoring tool will be hit with a worm shortly in “The Coming Snort Worm.” He has some good qualitative analysis, and Tom Ptacek disagrees with him in “Opposition Research.” I find it fascinating that we know so little that two smart guys like Tom and […]


Following up "Liability for Bugs"

Chris just wrote a long article on “Liability for bugs is part of the solution.” It starts “Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write.” Chris talks about market failures, but I’d like to take a different direction and talk about organizational failures. Security […]


Liability for bugs is part of the solution

Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write. The boldness of this suggestion is exceeded only by its foolhardiness, but its motivation touches an important truth — alot of code stinks, and people are damaged by it. The reason good programs (which means those […]


Here's to you, New York…



Security Costs of Logging

In “Online Dirty Tricks at American Airlines ” Gary Leff reports: The Wikipedia entry on the Wright Amendment (the law which restricts destinations of flights taking off from Dallas’ Love Field, which serves — and was intended — to protect American Airlines from Southwest) was edited by someone using an American Airlines domain. Someone using […]


Blue Hat Report

The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great […]


Dangerous Meme

If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed. Relying on security awareness training is an admission of failure. This meme must be eradicated from the gene pool. So writes Rich Stiennon in “Dangerous meme.” He’s absolutely right. Training […]


Security Roundup: Build Security In Edition

David Litchfield lets rip at Oracle in “Complete failure of Oracle security response.” Such questions need to be directed to more vendors than just Oracle. Andrew Jaquith writes about “Hamster Wheels of Pain” in security company presentations. The Seattle Times has an article on those new fancy, radio controlled cockpit doors, “Glitch forces fix to […]


Today, I Publicly Praised Microsoft

On the “Meet the Bloggers” panel at the Detroit IT Security Summit, I publicly heaped praise on Microsoft for their investment in security, the results of which include some really cool tools in Visual Studio 2005. Also on the panel, Ed Vielmetti brought up a really good point that I hadn’t heard recently, that of […]


What Is Phishing

In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay […]


2005 Underhanded C Contest Winners Announced

Congratulations to the three winners: M Joonas Pihlaja and Paul V-Khuong (who had a joint entry) and Natori Shin. Code is here. I previously blogged about the contest here.


On RSS Security

I’ve been mystified for a while by people talking about a need for RSS security products, as if those were somewhat different than other HTTP security products. Apparently, I wasn’t alone in this, Greg Reinacker, CTO of Feedburner Newsgator writes: I was on a call the other day with some folks in the industry, and […]


Can You Hear Me Now?

Ed Felten reports on a new technique to turn go from a recording of typing to the sequence of keystrokes: Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can […]


Small Bits: Clearance, Security Legislation, Schneier Pointers, Get Me An Operator

Richard Bejtlich comments on a Federal Computer Week article, “Security clearance delays still a problem” in “Feds Hurry, Slow Down.” “ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent.” I’m glad to see […]


Capture The Flag Too Boring?

Max Dornsief complains that “Capture the Flag is getting somewhat boring.” That’s too bad, so with all due haste, here are some suggestions: Capture the Business: …is a slight variation on the Ghetto Hackers game. The Ghetto hackers were all about simulating a real business, with its need for uptime. In capture the business, teams […] Blackjack Cracked

An article in the summer 2005 issue of 2600 magazine (“The Hacker Quarterly”) discusses a timing attack on the Paradise Poker Blackjack game. In essence, the game reveals when the dealer’s hole card is a 10, because it takes longer to process that situation. (The article isn’t online, near as I can tell.) There’s more […]


Companies Helping Phishers

Daniel Solove has a good post on “How Companies Help Phishers and Fraudsters.” Companies have trouble being consistent in what they send, and that’s to the advantage of fraudsters. They also have a hard time taking security information from outsiders, however well meaning. I had an experience with Citi Mastercard. After some problems, I was […]



Captchas are those annoying, spamatuer “type this so we can stop spam” things that you see on some blogs. PWNtcha stands for “Pretend We’re Not a Turing Computer but a Human Antagonist”, as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations. For an overview on why visual […]


"FBI: Businesses (Still) Reluctant To Report Cyber Attacks"

Volubis picks up stories in Information Week and Computer World: Roughly 20% of businesses report computer intrusions annually, a figure the agency believes is low. Director Robert Mueller urged businesses to step forward, promising greater sensitivity from the FBI in return. This reluctance has become especially important at a time when identity theft is growing […]


Where's the Evidence?

Tom Ptacek offers up unsubstantiated rumors, and Lindstrom caves? Shoot. I did my chrooting DNS work when a customer’s DNS servers came under attack. Can I get beer without naming the customer? I thought Pete was demanding full details. None of the attacks I saw used are less than five years old. More seriously, I […]


More on Using Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.] There have been lots of good comments, both here and over at Nielsen Hayden’s Making Light. There’s a few points left dangling that I wanted to respond to further. Those are the “ignore the marketing department” view and the “train the customer view.” […]


Lindstrom's Indemnification

Pete Lindstrom has very nicely offered to indemnify me, and pay my outrageous consulting fees when no one else will, if only I break NDAs and disclose which 0day exploits were used against which of my clients. Well, the city of Tokyo…No, I’ve never worked for the city of Tokyo. Now, as I’ve said repeatedly, […]


Microsoft's "monkeys" find first zero-day exploit

Microsoft ‘s experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors’ computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month. So reports Rob Lemos, in “Microsoft’s “monkeys” find first zero-day exploit.” We’ve […]


The Alexis Park ATMS are Perfectly Safe

Hackaday posts pictures in “defcon day 2 – don’t use the atm.” I don’t trust the ATMs at any Defcon haunt anymore, and was surprised to see a fellow I respect stick his ATM card into the machine at Hamburger Mary’s. I do wonder if any of the well-dressed guys using the ATMs were adding […]


Who Has Time For This, Indeed?

David Cowan has a nice post on technologies he won’t fund, and why. It’s a great post. More investors should be up front about what they’re not interested in. Bessemer has funded 16 security startups–more than any other traditional VC firm–but there are some areas of security that even we have never funded, despite the […]


My Bleeding Snort Rules Just Alerted Me to TERRORISM!

Err, no. But I was reading a post at TaoSecurity, “How to Misuse an Intrusion Detection System:” I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email: (jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york) But such rules […]


The Next PR Speciality?

Over at Presto Vivace, Alice suggests that “Security breaches and violations of privacy are going to be the next speciality in crisis communications.” I suspect that she’s right, and hope she’s wrong. In cases like Cardsystems or Choicepoint, where the organization is violating policy, contract, or law with its data, the impact on the company […]


Inviting Cockroaches to the Feast?

Over at “The Security Samurai,” Eric Marvets posts on “How Do I Get My Company To Take Security Seriously? Will Liability Work?” I’ve posted my thoughts on liability (“ Avoiding Liability: An Alternative Route to More Secure Product) and hope to develop those further sometime. One thing Eric says jumped out at me: Today I […]


CVE Content Decisions

The fine folks at MITRE have published “CVE Abstraction Content Decisions: Rationale and Application:” This document is intended for use by Candidate Numbering Authorities (CNAs)and may be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-compatible products and services, and technical consumers of vulnerability information on a large scale. Via OSVDB Blog, […]


Trial By Fire

Tom Ptacek and Jeremy Rauch are offering a course on analyzing products, taking them from black boxes to open books. Cool! From the ad: This class offers a behind-the-scenes tour of the product evaluation process. Renowned security experts Jeremy Rauch and Thomas Ptacek offer a crash course on the most important aspects of validating – […]


More on North Korean Online Warfare

I wrote about this in “North Korean Hacking Story,” and more detail emerges from a mail (or perhaps its a website? Hard to tell.) Anyway, this was eventually forwarded to Dave Farber’s IP list, Anyway, Brooks Isoldi, edidor of Intellnet writes: North Korea has trained a small army of computer hackers whose capability is equal […]


2005 Underhanded C Contest

Inspired by Daniel Horn’s Obfuscated V contest in the fall of 2004, we hereby announce an annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward […]


The Open Society Paradox: Companies Have Privacy, You Don't

For those who, during the ChoicePoint outcry, (see Secondary Screening) were critical of me for not supporting a notification law for companies who maintain databases of personal information I point you to a couple of facts. First, today’s news that tapes with the sensitive data of 4 million Americans are missing is just the latest […]


ACM Computer & Communications Security

Industry and Government Track of CCS ’05 is now accepting submissions: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of the research community. Audience members would like to learn about pressing security vulnerabilities and deficiencies in existing products and Internet-facing systems, and how these should motivate […]


Teland and Wattal on Insecurity and Stock Price

At the Workshop on Information Security Economics, Rahul Telang and Sunil Wattal presented “Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation.” I’m pretty busy, so I’ll point to comments by Ed Moyle, and hefty analysis by Tom Ptacek. [Private to DM: If I say its a workship, […]


Breach Laws

The Washington Post reports: States Keep Watchful Eye on Personal-Data Firms: Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the […]


North Korean Hacking Story

The Korea Herald has done an awful job of reporting in “N.K. hacking ability matches that of CIA, analyst says.” Normally, I ignore awful reporting as roughly par for the course, but this is egregious. “Our electronic warfare simulation indicates that North Korea’s capability has reached a substantial level, unlike what is generally known to […]


Small Bits of Chaos: Hal Stern, Lexis-Nexis Hackers, UK ID Cards, Bolton

Hal Stern has a blog! Hi, Hal! Wired News has a long story, “Database Hackers Reveal Tactics,” about the kids who broke into Lexis-Nexis. There’s some interesting bits. Most interesting to me is that none of these kids seem to have lawyers telling them to shut up. The BBC has an article on British reactions […]


Two On Secure Software

There’s a placeholder page at NIST for their SAMATE project, (“Software Assurance Metrics and Tool Evaluation”). Interesting stuff if you wonder why its so hard to release secure software. Also, Lauri@Schedler writes, in Making correct code look good Reading the article I was wondering what is the point of leaving information about safe and unsafe […]


Emergent Bits of Security: Analyzing Binaries, Code

If you think that an application is more secure because it’s undocumented, you should read Salman A. Baset and Henning Schulzrinne’s “An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol.” (Thanks, DM) Network Computing also discusses the idea, in the context of How Dangerous Was The Cisco Code Theft?. Gunnar Peterson mentions a Richard Clark […]


Emergent Bits of Security

(Updated shortly after posting with Eric Rescorla’s evidence presentation.) Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals. Carrie Kirby argues […]


Advances in Financial Cryptography – "First Issue"

I have a long list of issues with the academic publishing process. I’m a big fan of the Public Library of Science model. So when Ian Grigg asked me if I’d be interested in helping with his new publishing model, I was pretty excited. And now, I have an essay in the first issue: I’m […]


Software Design Pointers

Gunnar Peterson asks “How far can software architects get using a purely rational approach to software development,” and Michael Howard points to Dave Leblanc’s “Another Look at the SafeInt Class.” If you write in C++, check out the SafeInt stuff. It’s the sort of “close off a class of vulnerabilities” approach that I love.


Zabbo Blogs (again!)

I’m very excited to discover that my friend Zach Brown is blogging again. Zach was one of a group of friends who introduced me to blogs in, maybe late ’99? Early 2000? He’d been on haitus, and I’m glad he’s back. But I realized that my excitement felt a little odd, and so I’ve been […]


Hofmeyr on Legislation

1386 provides a huge incentive for companies to secure their systems, without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way. This encourages innovation in defense, because should new, more effective defense strategies become available, companies are more likely to adopt them, whereas if they […]


Small Bits: Labelling Software, People, Aaron Weisburd's Foreign Policy

Gunnar Peterson offers up a label for software that he stole from Jeff Williams. I had a good, if short, back and forth with Geoff, of Screen Discussion, in his comments, on using photographs to enhance criminal background checks, by including photos with the records of criminals, so the viewer of a report can compare. […]



Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have a blog! Mark Ward has an interesting article, “Predicting Vulnerabilities, Quotes and more.” When the patch comes out, many people […]


Small Bits of Security Chaos: Airports (2), Bastille Linux adds metrics

The Department of Homeland Security Office of Inspector General has written a report on TSA security: Improvements are still needed in the screening process to ensure that dangerous prohibited items are not being carried into the sterile areas of airports, or do not enter the checked baggage system. In our report on the results of […]


Removing Excel Macros?

I have a document where I started to create a macro, then realized that some clever search and replace would work. So I stopped creating the macro. But now, the document (which I share with others) has a macro in it. Sure, its possible to open with macros disabled, but I’d like to remove the […]


Apple Security Update 10.3.9, Analyzed

I have a confession to make. I’ve spent way too much time thinking about patching, and secure programming technique. This week’s Apple security update is interesting to me for a few reasons. Two side comments before I delve into the nitty-gritty. What’s with releasing this at 5.30PM on a Friday? If Microsoft had done that, […]


Workers Steal PINs, Cash

BANGALORE, India — Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said. The three former employees of Mphasis BPO, the business process outsourcing operation of Bangalore software and services company Mphasis […]


4th Workshop on the Economics of Information Security

The Fourth Workshop on the Economics of Information Security will be held in Boston, June 2-3. The schedule is now online. I’ll be presenting a short essay on “Avoiding Liability: An Alternative Route to More Secure Products” at the rump session. I’d love feedback. Ian Grigg has talked about alternate review systems.


Small Bits: Canada, DNA, Microsoft and Tea

While publicly recalling their Ambassador over the brutal murder of Zahra Kazemi, the Canadian government was playing host to Iranian officials, looking for security information, reports the CBC: In dozens of e-mails, there is no mention of Kazemi, and no one questions why Canada would help Iran, considered by some to be a brutal police […]


Clueless about ID Theft

I’m not sure if Jon Ostik’s column “Want to prevent ID theft? Get back to basics” is a brilliant April Fool’s Day joke, or, an example of, as the Identity Theft blog claims, “Many “security professionals” are clueless about identity theft.” Before anyone panics, the logical first step in any security process is an audit. […]


Cool Tech Not at RSA

Quick! Someone get these folks a marketing department! Someone showed me a cool password storage token from Mandylion Labs. You can load passwords over a little electronic interface, and then keep long lists of superuser passwords in your pocket. I had to mail my buddy to get their name. It seems somewhat better than a […]


Information Security Magazine on Choicepoint

Information Security Magazine has an interview with Choicepoint CISO Richard Baich. It’s behind a subscriber-wall, so I’m excerpting bits of it after the read more.. (Via Run-DMZ.)


P2P, Filenames

The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names (“2 yo getting raped during diaper change”). He doesn’t download any files, but takes this as evidence for his title. […]


Emergent Predictions

By the end of 2005, we will have had a month with at least 30 disclosures of serious security breaches, making private information about people available. At least 10 of these breaches will involve data which organizations are required by law to store and protect. This will cause a set of Congressional hearings, in which […]


Microsoft Security Lifecycle

Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security. Slag all you want, but I don’t see a lot of other vendors doing this. And now, if you need leverage to get buy in, you can either say, “We should emulate Microsoft…” or “Even Microsoft does…” It’s a win. Thanks for […]


Bad advice on SSNs

Bad advice on use of social security numbers abounds, often in technical documentation. Credit goes to reader Jonathan Conway for digging many these out. There are a few very common errors which we can find, thank to Jonathan’s research: Social security numbers are un-changing. No, they are not. Victims of identity theft, domestic abuse, or […]


New American Privacy Law: What Could It Say?

With recent events (Choicepoint, Bank Of America, PayMaxx, and Lexis Nexis) leading to a new privacy law for the United States, what should it say? How can we tell a good law from a bad one? Some disclaimers: I’m not entirely in favor of a new law. There’s a lot of potential for harm when […]


What's Wrong With Lexis-Nexis?

It seems that Lexis Nexis’s breach was because of bad passwords: The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers. I don’t mean to be snide. No, that’s a lie. I do. It’s 2005. You’re making all this data available via a password? Are your auditors telling you […]


Financial Privacy Regulations, 5 Years Behind?

The American Banker has a long story about how some regulations from GLB are now five years behind schedule: Ironically, both bankers and consumer advocates panned the agencies when they proposed guidelines on identity theft prevention in August 2003. The 25-page guidelines were based on Section 501 of the Gramm-Leach-Bliley Act of 1999, which required […]


Attackers, Disclosure and Expectations

In both military or information security situations, the position of the attacker is very powerful. An attacker can choose when, where, and how to attack. Attackers are not constrained by change management committees, operational risk, or a need to make economic tradeoffs within a budget. [1] Attackers don’t need to consider other work that needs […]


More on CVSS

Erik Rescorla takes note of my CVSS post, and comments that he’s not sure he likes some technical aspects of the system (emphasis added): CVSS does have a formula which gives you a complete ordering but the paper doesn’t contain any real explanation for where that formula comes from. The weighting factors are pretty obviously […]


Common Vulnerability Scoring System

At RSA, Mike Schiffman presented a Common Vulnerability Scoring System. Brian Erdelyi has taken that, and made a web page to generate numbers. It’s at SecurityHive. (The page requires Javascript be turned on to function.)


Software Liability by Contract, Not Regulation

While “other events” are causing me to prevaricate over data protection legislation in the US, it’s great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts. “I’m paying the bill. Other companies are paying the bill,” says Ed Amoroso, AT&T’s […]


Quick Followups

David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.


Finding Security Issues

In Today’s Choicepoint Roundup, I mentioned that Richard Smith had found a number of issues with Choicepoint’s web sites. In discussion, Richard told me that the issues included (but were not limited to) robots.txt files and directory listings enabled. The robots.txt standard is a way to tell search engines “please don’t go here.” That’s useful, […]


Disclosure and PayMaxx

There seems to be a bit of a spat going between PayMaxx, and ThinkComputer (who may have the worst web site I’ve tried to view in a long time). As documented by Robert Lemos at Ziff-Davis: Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks […]


More on Choicepoint

Enter ChoicePoint’s two-building campus in Alpharetta, and you get the feeling you are being watched. starts a new story at the Atlanta Journal-Constitution. (Use Bugmenot to login.) It’s sort of ironic. Choicepoint is focused on identifying people, rather than identifying behavior that leads to trouble. They figure once you have an account, they want you […]


Cool Tech At RSA

One of the best bits at RSA was at the HP booth. Marc Stiegler, Alan Karp, Ka-Ping Yee and Mark Miller have created Polaris, a system for isolating and controlling untrustworthy code on Windows. The white paper is here. It’s very simple, easy, and looks like a winner. I hope they find a way to […]


Security So Good, No One Could Login

One of the ironic bits about the RSA conference was the wireless network. Your username was your email and the password was on your badge. However, I had trouble logging in, so they gave me this username and password. I’m pretty sure that they didn’t record who I was as they did it. Even once […]


Small Bits on Programming

Max Dornseif asserts it’s easy to find bugs. (Perhaps even easier than figuring out trackbacks for his blog?) In an article in ACM Queue, Ioannis Samoladas, Ioannis Stamelos, Lefteris Angelis, Apostolos Oikonomou examine some measures of code quality between open and closed source apps.


What do Apple's Common Criteria Tools Do?

Apple has made available a set of “Common Criteria” tools. The “evaluation” page is here. The evaluation criteria is “EAL 3, CAPP, version 1.d, October 8, 1999.” (The README is a bit better.) If anyone would care to explain to me what I’ve just said, or, really, what the tools package does, I’d be much […]


Small Bits: T-Mobile, Google, Passports, Terrorism

Jack Koziol has a long post on security issues with T-Mobile’s web site. (Via /.) Did you know that Google’s “Dissatisfied? Help us improve” link only appears on the first page of a search? That’s fascinating–they expect their search to be so good that they get what you want on page 1, and you’ll complain […]


How Many Choicepoint Victims Are at Risk?

Choicepoint is a large credit bureau who denies being one. Yesterday, MSNBC reported that “more than 30,000 Californians” had been notified of problems. Now, no one opts-in to Choicepoint. No one can opt-out. They maintain files on you without your knowledge or permission. Now we know that at least 30,000 people were put at risk […]


What Did TSA Know, and When Did They Know It?

Recently, Slate had an article on how to alter your boarding passes and bypass the silly watch lists. It was picked up by BoingBoing, and it turns out that Bruce Schneier talked about it 18 months ago. Recently, I was talking to a friend who started telling me about…how to alter your boarding passes. What […]


Proof Of Concept Code, Boon or Bane

Microsoft has come out swinging against researchers who publish code: Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk. A common practice among responsible researchers is to wait a reasonable period of time before publishing such code. This generally accepted […]


Small Bits of Chaos: Passwords, Metrics, Self-Awareness, Mozilla

Bruce Schneier has a nice article on the risks of e-commerce sites that make you establish an account, rather than just giving them money. Pete Lindstrom has an article in Information Security magazine about security metrics. Roger McNamee has an insightful post at his new blog about the importance of self-awareness generally. It’s especially applicable […]


Security Planning

Gunnar Peterson (who has a new blog) points to the public release of the worksheets from “Misson Critical Security Planner.” I haven’t read that book, but the worksheets look like useful planning documents.


Shmoocon Slides

At Shmoocon, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled “Evidence Based Security.” The feedback I got from the audience was all positive. I was hoping that things would have gone more towards the question of what is good evidence, and how you evaluate questions, but that’s the joy of you […]


Wachovia Misdirects Customer Information

Wachovia said that, overall, 86 statements or tax forms were mistakenly sent to Pirozzi, including information on 73 individuals. Pirozzi said the number of pieces of mail was significantly higher, closer to 140. … Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one […]


Stefan Brands Blogging

Stefan Brands has a new blog. Stefan is not only one of the top two or three folks in the world in privacy enhancing cryptography, but he writes eloquently about the social reasons privacy is important. We worked together at ZKS, and I’m very sad we didn’t get further selling his technology. I look forward […]


Top 30 Papers in Infosec

Max Dornseif has a post titled “Top 18 Papers in Information Security,” with 28 papers. But who’s counting? Its a fascinating exercise, and I’m glad to see papers from Phrack. I’d suggest that they define top: Most influential? Most cited? Most important? I do think that no paper which isn’t available to the public via […]


CEOBlogger on "IT Propaganda"

There’s a new blog, from a fellow claiming to be the CEO of a public company, experimenting with blogging. Welcome! In his second post, he responds to the WikID Thoughts, Emergent Chaos, Financial Crypto series on IT breaches, calling it an example of “IT Propaganda.” I love the ‘IT propaganda’ phrase–one of the themes that […]


Small Bits: ICANN, Mock Trials, S.116, etc

Ian Grigg and I have a letter to ICANN about Verisign. See his post. Eric Rescorla has a Kafka-esque excerpt from the “trial” of Mustafa Ait Idr, who wasn’t allowed to see the evidence against him. Mort points me to US Senate Bill 166116, introduced by Diane Feinstein, making it a crime to sell social […]


One more thing in the -We-really-mean-all department

Martin Pool says “gcc makes my day.” If the sentence “Generate traps for signed overflow on addition, subtraction, multiplication operations” means anything to you, read his post. (I’ve discussed gcc in the past here.


Small Bits: Research, Web Security, Saturn's Moon

Uncle Sam is trying to restrict basic research. This approach comes from such a foreign orientation I’m not even going to comment. Jerimiah Grossman has an article on easy things to do to protect your locally developed application. I still think you should look at your code, but that’s still unfortunately expensive and difficult. Finally, […]


More on Economic Analysis of Vulnerabilities

Dave Aitel has a new presentation (“0Days: How Hacking Really Works“) on what it costs to attack. The big cost to attackers is not vulnerability discovery, but coding reliable exploits. (There’s an irony for you: Attackers are subject to the same issues with bad software as their victims.) The presentation is in OpenOffice format only […]


"Analysis of the Texas Instruments DST RFID"

A group at Johns Hopkins and RSA security have interesting new attacks on the RFID chips used in Mobil Speedpass. They’ve put up a web site at, and gotten some press at the New York Times.   [Edited 29/4/2017 to unlink because Google claims its distributing malware.]


Ben Rothke on Best Practices

Best practices look at what everyone else is doing, crunch numbers—and come up with what everyone else is doing. Using the same method, one would conclude that best practices for nutrition mandates a diet high in fat, cholesterol and sugar, with the average male being 35 pounds overweight. Writes Ben Rothke in a short, incisive […]


Towards an Economic Analysis of Disclosure

In comments on a my post yesterday, “I Am So A Dinosaur“, Ian asks “Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?” I believe that the answer is no, and so will give it a whack. The costs I see associated with a vulnerability discovery and disclosure, in chronological […]


I Am So A Dinosaur…

…and I was one before it was cool. Crit Jarvis responds to my comment that my views on disclosure have ossified by claiming that I’m evolving. The trouble is, I have documented proof it’s not true. From my homepage: Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS […]


More on Do Security Breaches Matter?

In responding to a question I asked yesterday, Ian Grigg writes: In this case, I think the market is responding to the unknown. In other words, fear. It has long been observed that once a cost is understood, it becomes factored in, and I guess that’s what is happening with DDOS and defacements/viruses/worms. But large […]


Small Bits of Chaos: Blind overflows, National ID, and Looney Tunes

SecurityFocus has a new article on blind buffer overflows. I’m glad these techniques are being discussed in the open, rather than in secret. Julian Sanchez has the perfect comment on Congressman Dreier’s new national ID plan, at Hit & Run. And finally, don’t visit this Looney Tunes site if you’re busy. (Via Steven Horowitz at […]


Do Security Breaches Matter?

Nick Owen posts about the stock valuation impact of security breaches. This UMD study found that a firm suffering a breach of ‘confidential information’ saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact. I read it as the market over time learning the difference between a DOS attack […]


Application Layer Vulnerability, an Orientation Issue

Richard Bejtlich comments on a new “@RISK: The Consensus Security Alert“, which starts: “Prediction: This is the year you will see application level attacks mature and proliferate.” He says: You might say that my separation of OS kernel and OS applications doesn’t capture the spirit of SANS’ “prediction.” You might think that their new warning […]


All Good Things Must End

Phrackstaff is pleased to bring you _our_ LAST EVER CALL FOR PAPERS for the FINAL RELEASE of PHRACK. … Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available […]


Software Security: What's Your Next Move?

I met Gunnar Peterson after attending one of his talks at BlackHat. It was very well done, and it looks like he’s now offering longer versions. If you’re concerned about the security of your software, and want to improve your development process, you should consider this. If you produce software, and aren’t concerned about the […]


Rob Slade Ben Rothke Writes a Positive Review (Forensic Discovery) [Ooops!]

Rob Slade reviews security books. No, more generally, Rob Slade points out in excruciating detail the flaws in security books. So when he I misread a post from ISN and think it says Slade, rather than Rothke, I look like a real fool who can’t find the flaws in my own writing. Really, Ben Rothke, […]


Attackers Are Evolving, Are You?

When I was getting into computer security, back in the dark ages, when Nirvana was releasing albums, hacking was an art. It was passed along in hard to find text ‘philes’, which were a mixture of technology and philosophy. 2600 Magazine remains an example of this sort of old-school hackerdom. The world-view that accompanied the […]


"Thinking WiKID Thougts"

Nick Owen has a new corporate blog up. His very first post is “Why ROI is a crappy measure for Information Security.” I look forward to more.


Small Bits of T-Mobile

A friend wrote to T-Mobile and asked if his data was compromised in the T-Mobile break-in. A service droid sent him a press release. My comments are pointed to by the brackets. Customer, Please see the press release below regarding the hacker investigation with T-Mobile’s customer information. If your information was compromised you would have […]


Trouble with Surveying Cybercrime

In a comment yesterday, Chris Walsh said: In any case, this should not be a difficult nut to crack, in principle. The US government conducts surveys of businesses all the time, and is capable of obtaining quality samples and high response rates in which academics justly have confidence. In theory, I agree with Chris. In […]


DHS to Survey Cybercrime

In what they hope will become the premier measure of national cybercrime statistics, officials at the Homeland Security and Justice departments plan to survey 36,000 businesses this spring to examine the type and frequency of computer security incidents. This is a really exciting development. DHS seems to be taking a good approach, and in a […]


More on TMobile

The LA Times has a story on Jacobsen, the hacker, and the AP has a story with more technical details. The Infosec Potpourri blog has some analysis of the AP story.


Model Checking One Million Lines of C Code

Hao Chen, Drew Dean, and David Wagner have a paper of that name in Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171–185, San Diego, CA, February 2004. Hao Chen’s papers page has powerpoint, PDF and PS, as well as this abstract: Implementation bugs in security-critical software are pervasive. Several […]


Financial Cryptography

The conference, not the blog, is now accepting registrations. The program looks really good this year.



A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. … T-Mobile, which apparently knew of the intrusions […]


Blog Spam

Stefan Geens has a long post on why SixApart’s TypeKey system is not a good solution to blog spam. He points out that the system has bad economies of scale: Here too, the spammer needs to sit down, get a key, pretend to be human for a minute and behave until he gets a comment […]



In a post to the patch management mailing list, Jay Woody mentions Threatcode, a site dedicated to tracking and shaming badly written code. Cool! I wish the site was a little easier to read, but nice going!


Small Bits of Chaos

Simson Garfinkel announces a new article analyzing the security of Skype. JihadWatch comments on a story on NPR yesterday, bemoaning the descriptivist reality that Jihad is now used to describe violent acts of terror. I heard this story on the radio, and the commentator’s prescriptivist bias of “Darn it, this is what the word means!” […]


Does Ryan Singel Need A Privacy Policy?

Yesterday, I commented that Ryan Singel, in his review of Robert O’Harrow’s* new book, had an Amazon tracking URL. I was mostly noting the irony of aiding tracking in a post titled “Pay Cash for This Book,” but Ryan comments: “it got me to thinking that this site has no privacy policy.” Not to pick […]


Small Bits of Chaos

Ryan Singel reviews Robert O’Harrow’s new book, No Place To Hide. O’Harrow covered the CAPPS-II and other privacy stories for the Washington Post. In the spirit of the story, I’ve left the little tracking bits from Ryan’s Amazon URL. If you’d like a less tracked version, click here, or type the title into Amazon. There’s […]



Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we’re safe? Bluetooth is different from internet vulns, […]


Small Bits of Chaos

Ed Felten announced a “Clip Blog,” of short articles with no or small comments. Hmmm. Neat idea. Ian Grigg gives us his thoughts on the Abagnale controversy: [Clausewitz] said something to the extent of “Know yourself and you will win half your battles. Know your enemy and you will win 99 battles out of a […]


Ratty Signals

So, we have a security signal that’s available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed? There are a few things that jump to mind: Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn’t issue […]


More on ROI

You can get ROI from security solutions by automating manual processes. Patch management and automated password resets are two solutions that don’t need “incidents” to gain a return. says Pete Lindstrom, responding to my comments that: Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool […]


Database Flaws More Risky Than Discussed

Rob Lemos has an article in CNET about NGSSoftware. On Thursday, they released a slew of advisories about Oracle products with flaws NGS had discovered 3 months ago. Now, it turns out that the problems may be more risky than thought. Alternately, the release of the exploit code may have cause SecurityFocus to raise its […]