Who knows what he will grow up to be.
Camera:
Nikon D70s
Exposure:
1/5000 sec
Aperture:
f/6.3
Focal Length:
85 mm
ISO Speed:
400
Who knows what he will grow up to be.
Camera:
Nikon D70s
Exposure:
1/5000 sec
Aperture:
f/6.3
Focal Length:
85 mm
ISO Speed:
400
Posted by Andrew Storms on February 28, 2009 at 07:35 PM in Photography | Permalink | Comments (0) | TrackBack (0)
Tags: photography
Back on February 23rd, I outlined what I felt Adobe needed to do in a hurry regarding this Acrobat 0day. Last night, Adobe spoke. They almost seem to be following my recommendations. Admittedly, my suggestions were only common sense. For some reason, it looks like Adobe got caught behind the curve. Nonetheless, time to review.
My suggestion 1: Confirm the Javascript mitigation.
Adobe: Check. Yes, it does provide some, but not all protection. (They did provide the directions, but no way to effectively and centrally roll out this change to an enterprise.)
My suggestion 2: Confirm with AV vendors that they can mitigate the attack.
Adobe: Check. They go on to list the products. (well done Adobe)
My suggestion 3: Update the security bulletin.
Adobe: Almost there. They did update the security bulletin, but didn't update the dates on the main security bulletin website. The revision history on the bulletin got updated, but no useful note on what was changed.
My suggestion 4: Provide accurate and advanced notification on when we can expect the patch.
Adobe: Not really. Adobe continues to say "by March 11th". If yesterday's surprise Flash patch is any indication, then they will probably surprise us with the Reader/Acrobat patch as well.
Posted by Andrew Storms on February 25, 2009 at 09:13 AM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: 0day, Acrobat, Adobe, bulletin, security
Adobe is about to release an update to Flash player to address a security advisory. At least according to iDefense, since at the moment, Adobe hasn’t update their own security site yet.
Yes, that is correct, they are updating Flash, not Acrobat, not Adobe reader. Despite a 0day in the wild, despite the reader flaw being used in attacks since early January, Adobe updates Flash. What’s more, the iDefense advisory doesn’t mention a thing about this Flash bug being public or being used in attacks.
Review
Acrobat 0day in the wild since January.
Acrobat 0day code published.
No solid mitigation from Adobe on the Acrobat flaw.
Third parties offer up their own Acrobat patches.
iDefense reports an update for Flash expected today.
The Flash vulnerability is not in the wild.
iDefense published a workaround in their advisory on Flash.
No information from Adobe yet about this Flash update.
No new information from Adobe about the Acrobat 0day.
See also Help me Adobe you are my only hope
Update: Adobe released the Flash update
Posted by Andrew Storms on February 24, 2009 at 11:49 AM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: 0day, acrobat, Adobe, flash, security, update
Adobe has confirmed a vulnerability in Acrobat, but nothing else. Starting back in early February, rumors began spreading about a new Acrobat exploit. With Symantec's release of a signature on February 12th and insiders among large software vendors hinting of a bug, sensors went into overload. Last week, ShadowServer confirmed the bug and Adobe quickly dropped everything to shore up the PR issue. Despite the information, we are in no better place today and may not be until March 11th.
Where are we today?
Where should we be?
Its understandable that Adobe hasn't released a patch yet, but there are many more things that Adobe could be doing.
Posted by Andrew Storms on February 23, 2009 at 01:38 PM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: 0-day, 0day, Acrobat, Adobe, information, PDF, reader, risk, security, vulnerbility
Seems like everything is falling apart these days.
Posted by Andrew Storms on February 21, 2009 at 03:03 AM in Photography | Permalink | Comments (0) | TrackBack (0)
Tags: photography
Despite predictions that spending on cloud services will triple by 2012, the number one market barrier continues to be security concerns. If cloud computing vendors hope to obtain 9% of IT revenue by 2012, then its time for them to rethink their marketing.
I challenge each of you to visit any cloud computing vendor’s website and read the marketing materials. What IT professionals read are words that spell fear. For example.
What’s missing is anything related to what makes IT security an interested party to the conversation. What about governance, supportability, compliance and privacy? I took the challenge myself and wrote down a number of marketing terms that popped out on websites. What you see below is a word cloud of those phrases.
My challenge to the cloud vendors: if you want part of the $42 billion market by 2012, then get IT security on your side. Address the concerns up front in a meaningful way.
PS. Here are the phrases I found:
Posted by Andrew Storms on February 20, 2009 at 06:49 AM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: cloud, compliance, computing, marketing, risk
On Valentine's Day, John Markoff at the New York Times asked, "Do we need a new Internet" The title is absurd as if suggesting driving on the left side of the road will reduce our love of fossil fuels. Markoff, flanked by a number of researchers, goes on to report that what we need is a new Internet. The problem with the new Internet is that it will still have human users.
If you believe that basic human nature of greed is still alive today, then you must concede it will continue to thrive tomorrow. Why are the US and world economies in a drivel? Why are credit card processing companies being breached? Why do regular hard working employees break security policies? Greed.
Mahatma Gandhi once said, "Earth provides enough to satisfy every man's need, but not every man's greed". The same holds true for the Internet. Even in Markoff's Internet that is in a state of global deterioration, every person with access has before them endless information and opportunity. (Let's put aside the Chinese wall for sake of argument). The user chooses what resources are utilized and how to take advantage of them.
Would a centralized, gated community of interconnected networks save us from Conficker? Would removal of anonymity on the Internet prevent security breaches at Card Systems, Heartland or Los Alamos Labs? The answer is no. However, Markoff and his commentators would have you believe that the answer is to nuke and pave -- create a new Internet.
Driving on the real life super highways in the United States presents a perfect analogy. First, Markoff's researchers suggest a barrier to entry for the new Internet and you have to forego some personal freedoms. Similar to driving, users are supposed to abide by laws and regulations. The biggest barrier to entry for both driver and surfer is the utility. A car or computer is required to take part in accessing the medium. As we all know neither of these barriers or loss of personal freedom have stemmed the problems. Second, anonymity would not be permitted on the new Internet. Driving has that requirement as well. Each car must be registered and display a license plate. Drivers themselves must pass a test and be licensed as well. Despite the laws and user education, we still must employ enforcement officers.
Despite barriers to entry, user education and laws, the problem is still lies with the user. Cars don't kill people. The Internet doesn't create viruses. If there is a will, there is a way. Starting over isn't the answer.
Posted by Andrew Storms on February 19, 2009 at 03:49 PM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: breach, Internet, NYT
Reading Christofer Hoff’s blog on separating virtualization from the cloud reminded me of the importance of the persona. Chris asks a valid question on do we assume that virtualization is an integral part of cloud computing. In his incomplete thought, he links over to Lori MacVittie’s post on the “The cloud within the cloud”. Lori touches on the heart of the issue by noting that some users shouldn’t care, while others must. While Chris’s thought seems to be stuck on the difference between the problem and the solution, Lori rightfully notes that it matters based on who is asking. Both of these instances are more easily solved by first understanding the persona and the problem.
Problem and Solution
The head of sales walks over to the helpdesk and requests, “I need my computer on the QA network.”
The head of sales thinks he has provided both the problem and the solution.
Problem: my computer isn’t on the QA network
Solution: the helpdesk guy needs to go over that closet and reconfigure my network port.
The question the helpdesk needs to ask is “what real problem is the head of sales trying to solve?” While it may sound combative, a good IT team will question both the problem and the solution. “Why does the head of sales need to be on the QA network?” The most likely answer is he wants to get his hands dirty with the new product before it’s released. The real solution isn’t for the head of sales to dictate. They should not care about the solution details, just that they can view the new product.
The same holds true when asking if the cloud equates to virtualization. The consumer need not care. The buyer cares that the solution is delivered within her requirements. The buyer and the requirements are still very nebulous, which is why a persona definition is required.
Define the Persona
As Lori so pointedly notes, some people need to know: “But yet some of us need to care what’s obscured; the folks tasked with building out a cloud environment need to know what’s hidden in the cloud in order to build out an infrastructure that will support such a dynamic, elastic environment.” An important rule of any presentation is to know your audience. Talking about cloud infrastructure to potential customer, who is the head of marketing presents an entirely different challenge than speaking to the head of risk management.
The Problem
Do we assume that virtualization is integral to cloud computing? Should users care what’s behind the cloud? Is cloud computing or virtualization secure? Should I care?
In all fairness, both Chris and Lori understand these points of personas and problems. However, I wanted to use these examples of what happens every day with respect to the cloud. One side of the table discounts cloud based computing due to its insecure nature. The opposite side sees the immediate value proposition. The problem today is that the value propositions are all targeted to a service consumer that doesn’t need to consider information risk management. What proceeds is an internal battle between risk management and everyone else.
In recent years I’ve had great success at bridging the gap between IT risk management and the consumer of the cloud service. The solution relies greatly on defining the personas and the problems first, then coercing the vendors to solve the problems for each different persona.
Define the persona and the problem. Then work on the solution.
Posted by Andrew Storms on February 18, 2009 at 04:12 PM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: cloud, computing, persona, virtualization
A recap of selected articles where I was quoted in recent days.
Critical IE, Exchange Flaws in Microsoft's Patch Tuesday
Washington Post, United States -
SecurityFocus, CA -
ZDNet Blogs -
CIO Today, CA -
Infopackets, Canada -
Posted by Andrew Storms on February 17, 2009 at 07:24 AM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: coverage, news, pr, press
With an unprecedented amount of industry collaboration aimed to annihilate the Conficker worm, Microsoft announced a $250,000 bounty for the worm’s maker. Microsoft first created the reward program in 2003, funding it with $5 million. The fund was intended to help law enforcement find and prosecute virus and worm authors. Four times prior, Microsoft hung out the wanted flyers in hopes of finding the creators of “Sasser”, "Blaster," "MyDoom," and "Sobig" worms.
The moment the Conficker bounty was announced, the analysis began. Would the money really motivate someone to turn in the “criminal”? How does it compare to other similar bounties? Does this tactic turn ordinary computer white hats into a new level of criminal?
Despite the common theory that originators of Conficker are a group of people associated with an eastern European mob-style group, I thought it would be interesting to draw up some statistics. I was inspired by Dino A. Dai Zovi’s twitter update on Friday - “My point wrt to conficker bounty is this: a programmer in wherever is as much of a menace to our society as these fugitives? Really? Scary”
Visualization #1.
Compare the Conficker bounty with those of non-cyber criminals. Add the the bail amounts of recently famous persons.
Visualization #2.
Same as above, but remove Usama Bin Laden, as that amount skews the graph too much.
*note: Jesse James bounty was converted from the $5,000 in 1882 to 2008 numbers based on CPI estimates.
** Note again: The Average FBI Most wanted EXCLUDES Usama Bin Laden
The FBI 10 most wanted list has historically represented the worst of the worst. It signifies those on the loose for the most heinous crimes. Interesting to note, 6 of the list have a $100,000 reward, much less then that of the Conficker reward. Of the 3 that weigh in over $250,000, one has a reward of $1 million, the second for $2 million and finally Bin Laden comes in at $27 million.
As it would seem, these comparisons alone with the FBI 10 most wanted do seem to put the Conficker originator into a new category. However, comparing the $250,000 reward with the bail amounts of recently accused puts Conficker back down a few notches.
Posted by Andrew Storms on February 16, 2009 at 08:12 PM in Information Security | Permalink | Comments (0) | TrackBack (0)
Tags: bounty, conficker, FBI, microsoft, reward