Complicating factors is the impact (or lack thereof) of incidents on stock price.  Many researchers who identify themselves with the New School of Information Security (yours truly included) want to immediately look at stock price as a bell-weather metric for incident impact.  I think this stems from our days of slinging FUD, back when we could scream “Buy a firewall or we’ll have an incident and you’ll be on the front page of the paper and the stock price will go down!”  But these days notable incidents seem to suggest that the impact on stock price for an incident is short lived.  With qualifications, of course.

So what would/should we make of this from Money.co.uk?

£12million ($24m) Wiped off Helphire Stock after Malicious Email Sent to Clients

Car hire firm Helphire have taken Google to court after a malicious email sent from a Gmail account saw their shares plummet £12million in a single day.

The Bath-based business who specialise in providing replacement cars to ‘no-fault’ drivers involved in accidents on behalf of car insurance companies, initiated legal proceedings against the search engine giant as part of their attempt to find out who is responsible for sending the defamatory mailing.

Google are now known to have complied with the court order and have controversially supplied details of the email account and ISP used by the meddler.

Written under the psudoname Peter Franks, the 1200 word email is know to have been sent from a gmail account that was opened specifically for this purpose and closed a few minutes after the damage had been done…

…The misdemeanour couldn’t have come at a worse time for the struggling firm who have undergone a £45million rights issue and seen a 75% drop in the value of their stock already this year.

That last paragraph, for me, explains some of the difficulty in tying reputation damage to stock decreases.  It’s like when you read the headlines from Bloomberg about why the days stocks (or commodity) prices are up or down.  You know, the “Oil closes $3 higher on news that a notable South American dictator has a rather unpleasant boil in a very uncomfortable area” type of headlines.  You really do have to question the causality and correlation.  So in the Helphire case above - is this new drop in stock really because of the email sent?  If so, should we view that $24mil number as an independent data point to describe this sort of attack on reputation, or is the magnitude aggravated due to the long-term trend of stock price?

Even when we have “Objective Data” (an in-joke for Adam S.) like this decline in stock price, it is really difficult to provide any sort of precise estimate or measurement - about the future, present or past.  The best we can do is use ranges, distributions, that are reasonable based on evidence and observation.

So it’s worth filing away this sort of datum for future use - while dutifully acknowledging the qualifiers we might place around it.

So the questions I ask here - what should we make of this new information, and how should we view the $24million drop - they’re not rhetorical.  I am very interested in your views and welcome your comments!

It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.

I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.

One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.

You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.

Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.

Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.

Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.

If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.

Oh, and get rid of those post-9/11 restrictions on student visas that are causing (.pdf) so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us immensely in the long run.

Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.

Security is both subtle and complex, and -- unfortunately -- it doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.

This essay originally appeared on Wired.com.

And, as with the AT&T deal, Bell's Internet customers get unlimited access in Starbucks's stores. The deal starts up immediately, as Bell is the current operator. AT&T is transitioning to running Starbucks in the U.S., taking over by the end of 2008 from T-Mobile.

It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.

I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.

One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.

You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.

Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.

Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.

Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating (.pdf) how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.

If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.

Oh, and get rid of those post-9/11 restrictions on student visas that are causing (.pdf) so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us (.pdf) immensely in the long run.

Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.

Security is both subtle and complex, and -- unfortunately -- it doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Synopsis:  Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• MANY thanks for all the offers of audio production assistance – getting it organized now


• Ingate SIP Trunking webinar now available (and a note about participating in things like this)


• VOIPSA blog site hacked
• Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary


• VoIPshield list of vulnerabilities


• Cisco Advisory


• Cisco Advisory about Disaster Recovery Framework


• Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video


• CIO


• Washington Post: Reach Out And Hack Someone


• Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers


• VoIP News: The Essential Guide to VoIP Security


• Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier


• Voice of VOIPSA: VoIP and the International Space Station


• Voice of VOIPSA: Xplico Network Forensic Analysis Tool


• Voice of VOIPSA: Australians falling victim to foreign phone hackers


• VoIP News Australia: How ACMA Plans to Regulate VoIP


• Network World: Government agencies rejecting VoIP?



• Linux Professional Institute to develop enterprise-level security exam


• Net neutrality and Bell Canada


• ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?


• Google XSS Attack (interesting as it shows the complexity of such attacks)
• The Economist: Special Report: The New Nomadism


• VoiceBiometrics – May 14-15, New York


• IP Telephony University – June 23-24, Alexandria, VA


• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 44:22 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• MANY thanks for all the offers of audio production assistance – getting it organized now


• Ingate SIP Trunking webinar now available (and a note about participating in things like this)


• VOIPSA blog site hacked
• Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary


• VoIPshield list of vulnerabilities


• Cisco Advisory


• Cisco Advisory about Disaster Recovery Framework


• Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video


• CIO


• Washington Post: Reach Out And Hack Someone


• Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers


• VoIP News: The Essential Guide to VoIP Security


• Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier


• Voice of VOIPSA: VoIP and the International Space Station


• Voice of VOIPSA: Xplico Network Forensic Analysis Tool


• Voice of VOIPSA: Australians falling victim to foreign phone hackers


• VoIP News Australia: How ACMA Plans to Regulate VoIP


• Network World: Government agencies rejecting VoIP?



• Linux Professional Institute to develop enterprise-level security exam


• Net neutrality and Bell Canada


• ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?


• Google XSS Attack (interesting as it shows the complexity of such attacks)
• The Economist: Special Report: The New Nomadism


• VoiceBiometrics – May 14-15, New York


• IP Telephony University – June 23-24, Alexandria, VA


• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 44:22 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Dear network vendor,

As someone that is forced to configure and implement security on your hardware, I would greatly appreciate stable code and properly functioning features. Unfortunately, I cannot always choose the hardware my customers are using in their infrastructure. However, if you would like for me to recommend they continue purchasing and using it, then the product must demonstrate to me that it is: capable, reliable, predictable and well-documented. If your product is not meeting these requirements, I’m forced to recommend other solutions to your (current) customer.

Stable Code. If I have to spend 2-6 hours per implementation working through your product’s bugs, and then must either spend time on a support call or spend time getting packet captures to prove to you it’s not working, I am not a happy camper because you’re slowing down my progress. Your customer is not happy because they’re paying for that time and I’m not cheap.

Features. Don’t publish in technical documentation that your product, or code can do something, only for me to find out later that it cannot. On-site in the middle of an implementation is not the time to architect Plan B. Let me know before, either through technical docs, white papers, best practices or release notes. I do read those. If you want to bend the truth, do it the marketing fluff, not my technical documents.

Documentation. If your product does do what you say it does, then please do document and explain the concepts and procedures. Examples are good, but explanations are mandatory. A correct CLI reference is always lovely as well. If there are got’chas or tricks, please also document those. Again, white papers or release notes are fine. Having to track down the one security engineer from your company that holds the magic key is not practical, nor scalable. Plus, he may be on vacation during my install, which would make me irate.

Support. If your product is not functioning or performing as expected, do NOT expect your customers to have a current maintenance contract to address a known issue or bug (or an un-known issue or bug for that matter). If they found a bug for you, you should probably give them a maintenance contract for a year… or two. If you don’t let us call support, I will find one of your pre-sales engineers and we will use him or her for post-sales support, which is not what you want them to do. But that’s your problem, not mine.

I believe that sums up the major issues. Specifically, I am interested in security, RADIUS, SSH, SNMP, DHCP and 802.1X functions. Before you add another bell or tweak another whistle, please make what you have works… consistently. That should be first, so it’s my Feature Request #1.

Respectfully,

jj

# # #

Because DPI can drill down into packet headers and then further into the actual content being pumped through the tubes, it raises all sorts of questions from privacy advocates concerned about the easy collection of private personal information. Current gear is so sophisticated that it can reconstitute e-mails and IM conversations out of asymmetric traffic flows and it can essentially peek “under the hood” of any non-encrypted packet to take a look at what it contains.

Bell Canada’s use of DPI gear has now ensnared the company in a pair of government actions over net neutrality concerns and privacy. Bell, apparently sensitive to such concerns, has made clear in its own responses to the network neutrality proceeding that its DPI gear looks at packet headers and traffic flows as a means of identifying various applications and protocols. Bell does not use DPI to actually peer at packet contents, however. “The content itself is not actually reviewed, analyzed or stored,” Bell says.

Ars Technica has the story.