Archive

Archive for the ‘Uncategorized’ Category

I Promised I Wouldn’t, but I Did…iPhone Smoothies! Die, iPhone…Die!

July 23rd, 2007 No comments

I’m so damned iSick of everything iPhone.  This is beautiful.  Die, iPhone, Die!

Brings new meaning to the phrase "blended threat."

If you’ve got NoScript running, here’s the link.

/Hoff

Categories: Uncategorized Tags:

Take5 (Episode #4) – Five Questions for Shlomo Kramer, Founder/CEO of Imperva

July 8th, 2007 No comments

This fourth instance of Take 5 interviews Shlomo Kramer, Founder and CEO of Imperva.

First a little background on the victim:

ShlomoIn 2006, Shlomo Kramer was selected by Network World magazine as one of 20 luminaries who changed the network industry.

Prior
to founding Imperva, Mr. Kramer co-founded Check Point Software
Technologies Ltd. in 1993. At Check Point, he served in various
executive roles through 1998 and as a member of the board of directors
through 2003. While at Check Point, Mr. Kramer played a key role in
defining and creating several category-defining products and solutions,
including FireWall-1, VPN-1, FloodGate-1, Check Point’s OPSEC alliance,
and Check Point’s security appliance program.

Mr. Kramer has
participated as an early investor and board member in a number of
security and enterprise software companies including Palo Alto
Networks, Serendipity Technologies, and Trusteer. Mr. Kramer received a
Masters degree in Computer Science from Hebrew University of Jerusalem
and a Bachelor of Science degree in Mathematics and Computer Science
from Tel Aviv University.

Questions:

1) As most people know, you are a co-founder of Check Point and the CEO of Imperva.  You’re a serial entrepreneur who has made a career of bringing innovation to the security market.  What are you working on now that is new and exciting?

All my time has been devoted in the last few years to Imperva. This project continues to excite me. After five years of hard work, it is very rewarding to see Imperva being recognized as the leader in application data security and compliance. Imperva delivers data governance and protection solutions for monitoring, audit, and security of business applications and databases. This is really a hot issue for organizations given the new threat landscape, regulations such as PCI and SOX and the ever increasing privacy legislation. I have always believed what we do at Imperva will define a new product category and the last couple of years have been a big step towards that.

I am also involved as an investor and board member in a number of other great security startups.  One example is Palo Alto Networks (www.paloaltonetworks.com), a next-generation firewall company. Their products provide full visibility and policy control over applications across all ports, all protocols, all the time–with no performance degradation. We’ve just launched the company, it’s an exciting time for Palo Alto Networks.

Another great company I am involved with is Trusteer (www.trusteer.com). Trusteer addresses the critical problem of protecting on-line transaction. Trusteer came up with a revolutionary way to protect online business from any "client-side" identity threat such as phishing, pharming, and crimeware. Helping business strengthen consumer trust, reduce costs, and differentiate online services is a big challenge and Trusteer has a very interesting and unique solution.

2) So tell us more about Palo Alto Networks on whose Board you sit.   The company has assembled an absolutely amazing group of heavy hitters from industry.  Either you’ve already got the company sold to Cisco and everyone’s signing on for the options or this is really going to be huge.  What’s so different  about what PAN is doing?

Existing firewalls are based on Stateful Inspection, which employs a port and protocol approach to traffic classification. The problem existing firewall vendors face is the fact that much of their core technology (Stateful Inspection) is over a dozen years old and new applications have found a variety of ways to evade or bypass them with relative ease. Attempts to fix the problem by firewall vendors include ‘bolting-on’ Intrusion Prevention (IPS) or Deep Packet Inspection as an additional feature have proven unsuccessful, resulting in significant issues with accuracy, performance and management complexity.

Starting with a blank slate, the Palo Alto Networks founders took an application-centric approach to traffic classification thereby enabling visibility into-and control over-Internet applications running on enterprise networks. The PA-4000 Series is a next-generation firewall that classifies traffic based on the accurate identification of the application, irrespective of the port, protocol, SSL encryption or evasive tactic used.

3) Having been an early adopter of Check Point, Imperva, Vidius, Skybox, Sanctum, etc. I clued in long ago to the power of the Israeli influence in the security industry.   Why are so many of the market leading technologies coming out of Israel? What’s in the water over there?

Really the start was with IDF based incubation of security know-how some 20 years ago. That for sure has been the case when we started Check Point. Over the years, an independent security community has emerged and by now it is very much a self perpetuating eco-system. I am very proud of being one of the founders not only of Check Point and Imperva but also of this broader Israeli security community.

4) We haven’t had a big worm outbreak in the last couple of years and some would argue it’s quiet out there. While identity theft leads the headlines these days, what’s the silent killer lurking in the background that people aren’t talking  about in the security industry?

When we started Imperva in 2002, security was all about worms – it was about a “my attack is bigger than yours” hacker mentality. We believed that future threats would be different and would be focused on targeted attacks.  We placed a bet that the motive of hackers would shift from ego to profit.  We’ve definitely seen that trend materialize over the last couple of years. On the server side, 50% of data leakage involves SQL-injection attacks and XSS is increasingly a leading threat, especially with the added complexity of Web 2.0 applications. Additionally, on the client side we are seeing many more targeted attacks, all the way down to the specific brokerage and on-line banking system you are using. The crimeware infecting your laptop cannot be addressed by a generic, negative logic solution, like anti-virus or anti-spyware, nor will strong authentication help circumvent its malice.
These targeted attacks on business data and on-line transactions are the focus of both Imperva and Trusteer. Imperva focuses on the server side of the transaction while Trusteer focuses on the client side.

5) With Imperva, you’re in the Web Application Security business.  What’s your take on the recent acquisitions by IBM and HP and how they are approaching the problem.  For companies whose core competencies are not focused on security, will this sort of activity really serve the interest of the customer of is it just opportunism?

Just to clarify, Imperva is actually in the application data security and compliance business, a major component of which is Web application security.  Securing databases and big enterprise applications are also part of that picture, as well as addressing regulatory mandates around data usage.  It’s all interrelated.

I think the moves by HP & IBM validate a general trend that we at Imperva have been evangelizing for some time — that application security is a huge issue, and we as an industry really need to get serious about protecting business applications and data.

I would argue that they won’t solve application security and compliance issues with these acquisitions alone.  The reason is that these solutions are only scratching the surface of the issues.  For one, most organizations use packaged applications and don’t have access to modify the source code to fix the issues they might find.  And lots of organizations take a long time to fix code errors even if they do have the capability to modify the code.  This argues for an independent mechanism to implement protections outside the code development / fix process. 

But the larger issue is scope – the data that organizations ultimately want to protect usually lives in a database and is accessed by a variety of mechanisms –applications are one, but direct access by internal users and other internal systems is another huge area of risk.  So addressing only one part of the application’s relationship to this data is not enough.  In my opinion, addressing the whole application data system is ultimately the way to address the core application and data security issue.

Categories: Uncategorized Tags:

Take5 (Episode #3) – Five Questions for Jeremiah Grossman, Founder/CTO of Whitehat Security

June 28th, 2007 No comments

This third instance of Take 5 interviews Jeremiah Grossman, Founder & CTO of Whitehat Security.

First a little background on the victim:

Jeremiah
Jeremiah Grossman is the founder and CTO of WhiteHat Security,
considered a world-renowned expert in Web security, co-founder of the
Web Application Security Consortium, and recently named to
InfoWorld’s Top 25 CTOs for 2007.  Mr. Grossman is a frequent speaker
at industry events including the BlackHat Briefings, ISACA, CSI,
OWASP, Vanguard, ISSA, OWASP, Defcon, etc.  He has authored of dozens
of articles and white papers, credited with the discovery of many
cutting-edge attack and defensive techniques, and co-author of XSS
Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC  Magazine, SecurityFocus, C-Net, SC Magazine, CSO, and InformationWeek.  Prior to WhiteHat he was an information security officer at Yahoo!

Here is Jeremiah’s blog and a new book on XSS that he co-authored.

Questions:

1) You’re probably best known for your work on JavaScript attacks,
XSS, and CSRF.  This stuff is such a mess and represents an
insidious vector for attack.  Do you think we’re ever going to be
able to get this genie back in the bottle or are we totally screwed?

Fortunately the Web the will hum along and adapt no matter how bad
the "hacker attacks" get. We know XSS and CSRF vulnerabilities are
everywhere, but the bigger problem is we don’t know exactly where
they ALL are. This is what makes the problem really hard to solve.
Short of an entire rewrite of THE WEB, we’re going to be stuck with
XSS, CSRF, and two dozen other issues for many years to come. Though
as websites are revamped with new development frameworks for business
reasons we’ll see security improve naturally.


2) Your days of securing hundreds of websites at Yahoo set the
stage for what you do today.

Yah, I left the behemoth portal and now I find myself responsible for
helping to secure more websites than ever!  🙂

What elements of today’s emerging security problems that you are
working on do you think will become another area of focus for you
in the long term.

At WhiteHat we’re delivering website vulnerability assessment (VA) on
an unprecedented scale. This is important because companies need to
constantly monitor the security of ALL their websites ALL the time.
Prior to WhiteHat the best a company could do were annual audits only
affordable on a select few websites. As websites change this process
clearly doesn’t work and the number of incidents and vulnerability
prevalence are prime indicators. We need to be able to assess
hundreds, thousands, tens of thousands of the worlds largest and most
important websites no matter how big or how often they change. This
insight will provide intelligence we need to start solving the problem.

The second phase is figuring how to “fix” the problem and prevent new
vulnerabilities from cropping up in the first place. Security inside
the SDLC has been talked about a lot and will improve software
security in the long run. In the mean time, there are a ton of
websites and even more vulnerabilities where relief is required
between now and then. Web application firewalls are a likely option.
What I’d like to see is tight integration between VA solutions and
WAF devices. Since VA knows the specific type and location of
vulnerabilities in a website technically they could communicate a
highly accurate rule or “virtual patch” to a WAF and block any
incoming attacks. This would provide security professionals more
control over the security of a websites and developers time to
address the problem.

3) What do you make of Google’s foray into security?  We’ve seen
them crawl sites and index malware.  They’ve launched a security
blog.  They acquired GreenBorder.  Do you see them as an emerging
force to be reckoned with in the security space?

I doubt Google has plans to make this a direct revenue generating
exercise. They are a platform for advertising, not a security
company. The plan is probably to use the malware/solution research
for building in better security in Google Toolbar for their users.
That would seem to make the most sense. Google could monitor a user’s
surfing habits and protect them from their search results at the same
time.

4) You recently participated in the CSI working group’s on Web
Security Research Law in which you and other experts toiled over
the legal and ethical elements of web security vulnerability and
disclosure. Given the report’s outcome of more questions than
answers, where do you stand personally on the issue of disclosure?


My personal actions probably won’t change much. I’ve been in the non-
disclosure camp for a while, unless I had a personal relationship
with the company. What has changed is my understanding on the
legalities of website vulnerability discovery. Apparently there is NO
clear-cut guidance as to what security researchers (in the US) are
legally allowed to do or not do. Once the website owner complains to
law enforcement it could quickly become a nightmare for the
researcher no matter how pure their intentions. So the unfortunate
consequence of all this will be the “good guys” will tend to stop
looking, and more importantly stop disclosing, while the bad guys get
the run of the place no matter what anyway. The net effect is bad for
website security and the consumer. Welcome to Web 2.0.

5) So you practice Jiu Jitsu in competition, you play Aussie Rules
Football (in *real* countries like NZ, we play Rugby…) and you
make the Internet safe for women and children.  Death wish,
misplaced angst or ADD?

And you say I have a death wish! I dare you to say those words on the
pitch in front of the Aussies. 🙂  Anyway, I’ve NEVER been accused of
having ADD, if anything too focused. I tend to enjoy extreme sports
and keep myself very busy, part of my personality. Unsolvable
problems are the other thing that are attractive to me. Glutton for
punishment. 🙂

Categories: Uncategorized Tags:

Take5 (Episode #2) – Five Questions for Marcus Ranum

June 25th, 2007 3 comments

This second instance of Take 5 interviews Marcus Ranum.  Yep, no shit.

First a little background on the victim, Marcus Ranum, in his own words:

Ranumsm
I don’t know how to describe myself, anymore. At this point I have held every job you can hold in the security industry – from system administrator to coder, engineering team leader, product manager, product marketing, CSO, CTO, and CEO, industry analyst, teacher, and consultant. If I got to choose which of those I’d rather you thought of me as, it’d be teacher.

Back in the early 90s I did a lot with developing firewalls, and designed and coded the DEC SEAL and TIS Firewall Toolkit – both of which were pretty popular and ground-breaking in their time. I also founded one of the early IDS start-ups, Network Flight Recorder (recently bought by Checkpoint) and served as CEO there for 4 years.Today, I am the CSO of Tenable Network Security – the company that produces a the Nessus vulnerability scanner and a suite of security management tools. I live in the wilds of Pennsylvania with 2 huge dogs, 2 horses, and about 18 cats, and spend my spare time doing photography, farming, and too much other stuff to list.

1. Let’s get this out of the way first…The Security Industry vs. Marcus Ranum…Why so grumpy or are you just misunderstood?

I don’t understand! Does the security industry disagree with me? What, are they, stupid?

Just kidding. I’m grumpy – and justifiably so – because, like many security people, I’ve noticed that if you work really hard to organize your thinking about security so that it becomes clear – your good advice will be completely ignored anyhow. Many of the problems that we encounter all over the place today are just instances of the same problems that smarter people than myself predicted we’d have in the early 1980’s.

So, I see the industry as dangerously out of step with its constituents. Remember: this is about protecting real people against real bad things. It’s not a theoretical game. I get really pissed off when I see glib little sociopathic weasels putting innocent people at risk so they can market their products (to those same people!) – it disgusts me. And it disgusts me when I see the media, government agencies, and big-name vendors playing the game.

Those are the short-term frustrations. There are longer-term ones, as well. One of my dad’s friends was a cardiologist and he used to periodically go on a rant that went like this: "90% of my patients come in and are overweight, out of shape, and drink too much, smoke, or snort cocaine. They tell me all this and I tell them they’re ripe for a heart attack. Then I tell them that they need to lose some weight, exercise, and take it a bit easier on their bodies – and they look at me like I’m crazy and ask ‘what’s Plan B’?"   

Well, that’s how I feel about security a lot of the time.  The problems we deal with are so stupid and so obvious – sometimes it makes me want to ask executives, "What are you, retarded?"  Even a Harvard MBA should be able to figure out that if you have copies of your data all over the place where anyone in the enterprise can get at them, it’s going to wind up on laptops and on the Internet.

So – I am frustrated and I am middle-aged (and then a little bit) – at a certain point I feel the long-term downside of speaking my mind will get less and less significant, so why not just let it all hang out?

2. You’re at Tenable Security as CSO now, what are you doing there and why?  You and Ron Gula make a great couple, but are you involved in any other security or technology ventures?

Well, originally, it was Ron and Renaud. Tenable was already cooking along on course before I got involved. I knew Ron from the NFR days because I used to compete with him when he was selling the (now Enterasys) Dragon IDS against us. My role at Tenable is to be a mix between class clown, consultant, and technical trainer – I teach our customers’ classes on how to use our products and feed back ideas and questions through Ron. It works pretty well. Best of all, the rest of the management team at Tenable are all highly technical geeks.

There’s no arguing about how to do the right thing with Venture Capitalists because we’re self-bootstrapped and suit-free. On the other hand, we’ll argue all day about which Linux distro is better – if you can pick and choose your battles, I’ll take technical debates about how many angels can fit on a USB thumb-drive over talking to MBAs any day.

I serve as an advisor to several security start-ups and have to be very careful to keep from getting at competitive cross-purposes. But I love the advisory role – you can look at where a product is going and say, "hey, it’d be nice if it did X, Y, Z" – and a few months later, it does. It’s like being an important customer without having to talk to sales guys! I make a point of actually pounding on products and getting as deep as I can, too.

For example, I am on an advisory board for a company called Fortify that makes a source-code security analyzer tool, and I grabbed the product and spent a week running some of my own code (and other popular open source products) through it. That kind of thing can be really fun!

3. You’ve recently started publishing your "Rear Guard" PodCast.  It’s quite entertaining and what some might describe as classic "Ranum."  What attracted you to PodCasting and do you see starting a Blog?

I got interested in podcasting because I have a real problem with writing – I’ll write an article and go over it again and again and again until I’m happy with it. Writing is like pulling teeth for me. Sometimes, such as the time I was stuck in Frankfurt airport with nothing to do for 36 hours and the only electrical outlet was in the beer-bar – then I get a lot of writing done in a burst. But it doesn’t come easy for me whereas speaking does. So I was listening to a few of my old audio recordings from conferences and thought, "Hey, I can get stuff out there really fast this way!"   Besides it’s a great way to play with tech toys like audio recorders and phone line-taps, etc!

Normally I am an instant nay-sayer about "the new thing" for its own sake but I think that podcasting is fascinating – essentially it’s completely liberated asynchronous radio. If that’s not fantastic, I don’t know what is! The barrier to entry is basically nonexistent – it’s so low there’s no need to worry about sponsorship or marketing crap to pay for it. It’s an environment where content truly is king: if your stuff is good, people will listen.

With respect to a blog – probably not. There are already great blogs out there and I don’t like the short note format. I prefer to write constructed arguments or tutorials; I just can’t whip out a couple paragraphs and let them go like some people can. Blogging tends to encourage a high volume of content. With my schedule and wildly varying energy/attention levels I can’t do more than an intermittent effort.

4. Are there any companies with emerging products or technology in the security space that you feel really "get it" and are doing the "right things" to move security ahead in the right direction?

I’d like to dodge that question, if I may. Otherwise I’ll sound like a marketing guy.

But the sad truth is that a lot of what I see out there is reinventing the wheel to varying degrees. The industry has reinvented antivirus and firewalls about ten times so far – of course it gets called something new and whizzbang each time. That’s inevitable (and uninteresting) because security is a moving target – someone is always getting new bright ideas like "let’s tunnel remote procedure calls over SSL by encoding them in XML" and the poor guys trying to secure it only have a limited set of techniques they can apply (content filtering, signatures, protocol analysis) and – of course – they’ll work as well as they always do.

There is cool stuff being done but I’d categorize it mostly as "solid new implementations of good old ideas."  There’s nothing wrong with that, either.

5. As one of the "founding fathers" of network security — from your firewall days to NFR and beyond — what advice do you have for the up and coming security "professionals"  who are going to have to deal with "securing" networks and assets in an already dynamic and hostile environment while serving the "Frappacino-YouTube-FaceBook-SecondLife-Tor-Twitter-I_Want_It_Now-AlwaysOn" generation who hack life?

Succinctly? "Get used to losing every battle you fight."

I actually get a fair number of Emails every month from people who are thinking about getting into information security. My old suggestion used to be to identify an interesting but not overly ambitious problem in the security space, make a decent attempt at making it less of a problem, and publish everything you can about what you did, why, and what you learned.

Thanks to the "bug of the minute" mindset we’re stuck in now, security has become an intellectual wasteland and the people who will be the next generation of stars will always be the ones who are solving problems (not creating them) and helping the poor outgunned IT specialist.

My new suggestion, when someone asks me about a career in security, is to reconsider the whole idea. In 10 years (probably less) security is going to re-collapse back into system administration and network administration.  Your security practitioner of the future is going to be the guy who clicks the "make it secure" button on the rack of Cisco gear – and he’ll have no idea what that button does. On the systems side, he’ll be the Windows system administrator who forklift-pushes Microsoft Security for Windows to all the desktops, enables it, and reboots them. That’ll be that.

Note: I am not saying it’ll actually be secure, or work, but that’s about the tolerance for security effort that will be left in most IT executives’ minds. And, of course, security will be reporting to lawyers. After all these years of short-sighted security experts saying, "What we need is legislation…" now we’ve got it.

And, as a consequence, security is going to be permanently in the "expense" column and it’ll be a legal mitigation/triage game played by executives and lawyers, with the security guy’s job consisting mostly of hovering over the system admin’s shoulder to make sure that they actually clicked the "on" button where it says "security."

So – I think security’s about to suffer a mental and financial heat-death. Frankly, we deserve it. If you look at what security has accomplished in the minds of most IT execs, during the last 10 years, it has been an endless stream of annoying bug-fixes. All the positive stuff is completely overwhelmed by the flood of mal-this and mal-that and the constant yammering for attention from the vulnerability pimps.

6. Bonus question.  Assuming I qualify the form factor to something that can be carried on your person, what’s your favorite weapon
?

That would have to be my custom-forged Bugei daisho that I commissioned in the early 1990’s. But if it was a situation involving more horizontal separation, I’d have to go with my Barrett model 95 with the 8-32x US Optics scope.

/mjr.

Categories: Uncategorized Tags:

United’s entire flight control network down?

June 20th, 2007 No comments

Parkedplane
I’m sitting on the tarmac at Logan in an A320.  I’ve been sitting here for almost an hour behind a fleet of other united planes.
According to the pilot, United has experienced a system-wide computer outage that affects the navigational systems of all planes.
We can’t take off because the plane doesn’t know where to go…and neither does the pilot.
So much for triple redundancy!

Hoff

** Update: I guess he wasn’t kidding!  That’s realtime blogging for you folks! 

I blogged this from my phone via email whilst the failure occurred.  The good news is that the delay rippled through the entire schedule, so my connector in Denver to Oakland was also delayed, so I made the flight 😉

Here’s a link from Bloomberg as an update regarding the failure:

United Air Says Computer Failure Blocked All Takeoffs (Update5)

By Susanna Ray

      June 20 (Bloomberg) — UAL Corp.’s United Airlines, the
world’s second-biggest carrier, stopped all takeoffs around the
globe for more than two hours today after the failure of the
computer that controls flight operations.         

The outage lasted from 9 to 11 a.m. New York time, delaying
about 268 flights and forcing 24 cancellations, the Chicago-
based airline said. United said it was investigating and hoped
to resume normal operations by tomorrow.         

United relies on the computer that broke down today for
everything needed to dispatch flights, including managing crew
scheduling and measuring planes’ weight and balance, spokeswoman
Robin Urbanski said. Federal law requires weight-and-balance
assessments for passenger flights before takeoff.         

A worldwide grounding from a computer fault is “very
unusual,” said Darryl Jenkins, an independent aviation
consultant in Marshall, Virginia. “Somewhere there was a
massive failure.”         

Delays, Cancellations         

Delays at Chicago’s O’Hare International Airport, the
world’s second-busiest and United’s main hub, averaged one to
two hours, said Wendy Abrams, a spokeswoman for the Chicago
Airport System. Officials opened gates at the international
terminal to unload stranded United passengers.         

United has a backup for its Unimatic system, “and we’re
investigating why that didn’t work,” Urbanski said. Planes
airborne during the breakdown were allowed to keep flying, she
said.         

Preflight weight-and-balance checks are an important safety
step. Improper loading reduces speed, efficiency, climbing rates
and maneuverability, according to a Federal Aviation
Administration handbook. Those changes, combined with abnormal
stresses on an aircraft, can lead to crashes.         

The Unimatic system “handles all the operational parts of
the airline,” said Rick Maloney, a former United vice president
for flight operations who is now dean of the aviation college at
Western Michigan University in Kalamazoo.         

`Well Protected’         

“That system is so well protected,” Maloney said in an
interview. “I’m really pretty surprised.”         

Companywide shutdowns because of computer glitches are
infrequent, said Robert Mann of R.W. Mann & Co., a Port
Washington, New York-based consultant. “But every airline has
been bitten at one time or another by system failures of this
sort, whether they be dispatch, departure control, passenger
service, kiosks, communications, baggage or some other.”         

Today’s delays will add to the industry’s tardiness so far
this year.         

U.S. airlines managed only 72.5 percent of flights on time
this year through April, the worst rate since the federal
government began keeping track in the current format in 1995,
according to the U.S. Bureau of Transportation Statistics.         

Consultants including Jenkins said today’s computer
meltdown shouldn’t damage United’s long-term reputation. “These
are things that you recover from,” he said.         

   
 
      
   
 
 
   
   
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      

Categories: Uncategorized Tags:

Rothman Speaks!

June 15th, 2007 4 comments

…You need Flash to see this…

Firefox also seems to have intermittent trouble rendering this.

If you only see 1/2 of Mr. Rothman, right-click and select "show all"
and then click on the little purple play icon.  IE has no issue.

Turn the volume WAY up…I had to whisper this @ work.

/Hoff

Categories: Uncategorized Tags:

Congratulations to Richard Bejtlich – Good for him, bad for us…

June 11th, 2007 2 comments

BejtlichCongratulations go to Richard Bejtlich as he accepts a position as GE’s Director of Incident Response.  It’s a bittersweet moment as while GE gains an amazing new employee, the public loses one of our best champions, a fantastic teacher, a great wealth of monitoring Tao knowledge and a prolific blogger.

While I am sure Richard won’t stop all elements of what he does, he’s going to have his hands full.  I always privately wondered how he maintained that schedule.  Mine is crazy, his is pure lunacy.

I am grateful that I’m scheduled to attend one of Richard’s last classes — the TCP/IP Weapons School @ Blackhat.  I’ve attended Richard’s classes before and they are excellent.  Get ’em while you still can.

Again, congratulations, Richard.

/Hoff

Categories: Uncategorized Tags:

A Poke in the eEye – First a DoS with Ross and now…?

June 11th, 2007 No comments

Patchtues
The drama continues?

Mitchell blogged last week about the release of the new eEye Preview Service, a "three-tiered security
intelligence program" from eEye and what he describes as an apparent change in focus for the company. 

With Ross Brown’s departure (and subsequent blog p0wnership) and Mitchell’s interesting observation of what appears to be a company migrating away from a product to a service orientation with continued focus on research, my eyebrows (sorry) raised today when I perused one of my syndicated intelligence gathering sites (OK, it’s a rumor mill, but it’s surprisingly reliable) and found this entry:

Is the end in sight for eEye?
Rumor has it more layoffs went down at eEye
this week. Rumor has it the company fired most of their senior
developers, most of the QA staff and demoted their VP of Engineering.
When: 6/8/2007
Company: eEye Digital Security
Severity: 70
Points: 170

Look, this is from f’d Company, so before we start singing hymnals, let’s take a breath and digest a few notes.

This was posted on the 8th. I can’t reasonably tell whether or not this round of RIF is the same to which the InfoSecSellout(s) [they appear to have admitted — accidentally or not — in a post to be plural] referred to on their blog.  I’d hate not to reference them as even a potential source, lest I be skewered in the court of Blogdom…

This appears to be the second round of layoff’s in the last few months or so for eEye and it indicates interesting changes in the VA landscape as well the overall move to SaaS (Security as a Service) for those companies who are looking for differentiation in a crowded room.

Of course, this could also be a realignment of the organization to focus on the new service offerings, so please take the prescribed dose of NaCl with all of this.  We all know how accurate the Internet is…It would be interesting to reconcile this against any substantiated confirmations of this activity.

I hate to see any company thrash.  If the rumors are true, I wish anyone that might have been let go a soft landing and a quick recovery.

This story leads into a forthcoming post on SaaS (Security as a Service.)

/Hoff

Categories: Uncategorized Tags:

Yeah, I don’t get Symantec, either…HuaMantec?

May 27th, 2007 1 comment

Dogateappliance
Alan beat me in blogging about something I discussed @ our Interop Blogger’s dinner last week, namely the absolute bewildering announcement made by Symantec:

Symantec Corp. and Huawei Technologies Co., Ltd. are forming a joint
venture company to develop and distribute security and storage
appliances to global telecommunications carriers and enterprises.

The joint venture will help operators and enterprises address
challenges arising from maintaining IP networks and IT systems that
support a growing number of connections. This requires balancing
increasing performance and availability requirements with system
security and data integrity.

Initially the offering will include security and storage appliances
addressing those issues. The new company will be headquartered in
Chengdu, China, with Huawei owning 51 percent of the joint venture and
Symantec owning 49 percent.

Huawei will contribute its telecommunications storage and security
businesses including its integrated supply chain and integrated product
development management practices. Additionally, the new company will
have access to Huawei’s intellectual property (IP) licenses, research
and development capabilities.

Symantec will contribute some of its enterprise storage and security
software licenses, working capital, and its management expertise into
the new company. Symantec will also contribute US$150 million toward
the joint venture’s growth and expansion.

The joint venture is expected to close late in the calendar year, pending required regulatory and governmental approvals.

What he hell, over!?  Perhaps they forgot about this announcement almost around the same time last year wherein ’twas quoted:

The announcement
is evidence that Symantec is shifting its strategy away from being a
"one stop shop" for security wares, and will focus on lucrative
security management and services, said John Pescatore, a vice president
at Gartner.

Symantec
announced the changes internally yesterday, saying it was a "change in
its investment strategy in the network and gateway security business."
The news was accompanied by lay-offs affecting approximately 80
employees in the company’s SGS unit, a company spokeswoman said.

…after the 3Com buyout of the last venture between 3Com and Huawei, perhaps they’re going to pick up the pieces?  Are we going to see a yellow version of the M.I.A. 3Com M160 since they’re not doing anything with it?

Wow.

Perhaps the first thing they can do for the Chinese market is to fix the Symantec Autoupdate feature:

According to reports from the Chinese state media last night, an
automatic update to the Chinese version of the Norton anti-virus
software sent out last Friday identified two critical Windows XP files
as malware and deleted them.

As a result, millions of Chinese
PC users have had to re-install their operating systems or, if they
have planned ahead (and are lucky), used the RESTORE function from the
XP emergency recovery menu.

China Daily says that many companies are threatening to sue Symantec for large sums of money for lost working time. Symantec has reportedly made formal apology on Wednesday.

/Hoff

Read more…

Categories: Uncategorized Tags:

I want to have Gunnar Peterson’s Baby (His SOA posts are the schizzle!)

April 13th, 2007 No comments

Soaleftovers
I really look forward to reading Gunnar Peterson’s blog.  He’s got a fantastic writing style and communicates in an extremely effective form about one of my favorite topics SOA and security. His insightful posts really get to the point in a witty and meaningful way.  I’m going to try to make one of the OWASP meetings he is presenting at soon.

Gunnar made a fantastic post commenting on Arnon Rotem-Gal-Oz‘s writings on Service Firewall Patterns, but within the context of this discussion, his comments regarding the misalignment of developers, network folks, security practitioners and enterprise architects is well said:

One of my issues with common practice of enterprise architecture is
that they frequently do not deep dive into security issues, instead
focusing scalability, detailed software design, and so on. But here is
the thing – the security people don’t know enough about software
design, and the software people don’t know enough about security to
really help out.

Sadly, this is very true.  It goes back to the same line of commentary I’ve also made in this regard.  The complexity of security is rising unchecked and all the policy in the world isn’t going to help when the infrastructure is not capable of solving the problem and neither are the people who administer it.

Add to this the reality that many security mechanisms
cannot make a business case as a one off project, but need to be part
of core infrastructure to be economic, and wel[l], you get the situation
we have today.

Exactly.  While this may not have been Gunnar’s intention, this description of why embedding security functionality into the "network" and expecting packet jockeys to apply a level of expertise they don’t have to solving security problems "in the network" as a result of economic cram-down is going to fail.

The architects define the "what", and unless security is
one of those whats, it is not feasible to make the case for many
specialized security services at a project by project level. This is
why, enterprise architects that enable increased integration within and
across enterprises, must also invest time and resources in revamping
security services that enable this to be done in a reliable fashion.

…but sadly to Gunnar’s point above, just as security people don’t know enough about software design and software people don’t know enough about security, enterprise architects often don’t know what they don’t know about networking or security.  The problem is systemic and even with the best intentions in mind, an architect rarely gets the opportunity to ensure that after the blueprints are handed down, that the "goals" for security are realized in an operational model consistent with the desired outcome.

I’m going to post separately on Rotem-Gal-Oz’s Service Firewall Pattern shortly as there are tremendous synergies between what he suggests we should do and, strangely, the exact model we use to provide a security service layer (in virtualized gateway form) to provide this very thing.

/Hoff

Categories: Uncategorized Tags: