• State of Nature. State of Nature just means what the current state is.  There are two ISSA Journals on my desk right now - State of Nature statement.

• State of Knowledge:  Analysis derived from examination of State of Nature.  “One of these ISSA Journals has an article co-authored Donn Parker on ROI.  I’ve read it, and it makes some statements he regards as truth.  Looking at those, well, I know that risk is quantifiable, best practices have significant issues, and there are many, many other statements of authority in the article that I can refute on evidence.” - Analysis or State of Knowledge.

• State of Wisdom:  Synthesis from the analysis.  The “So” moment.  “So since there are many statements of authority made in the article that I can refute on evidence, I should be open but skeptical about whether the conclusions of this article are likely to have much value to me in my quest to understand the value of risk reducing investments.”  What I’ve synthesized from the quality of the article - State of Wisdom.

(Just a clue for our readers, anytime you read someone talk about risk and mention the term “actuarial” - be skeptical about the conclusions they have you draw from the statement using that word. 9 times out of 10 what I’ve read after someone says actuarial is made as authoritative but shows a level of ignorance on the subject.  If you really want to mess with them - say “Really! Well, tell me how you feel about the use of non-parametric Bayesian Methods” and wait… )

MMMMM-MMMMMMM CHECKLISTS!

So what about Checklists?  They’re worth discussing because we’re swamped by them!  Heck, we’ve got people in love with the idea of checklists of checklists and claiming GRC nirvana is not in the checklist itself, but in the mapping of checklists.

Here ya go:  Checklists have one of two uses -

First they can give us a path to accomplish something.  I make a checklist every morning I call a “Todo List”.   Useful Checklists could be as Curphey mentions - steps for operating machinery or performing a certain task (heck, scientific method could be said to be a checklist of steps in analysis).  Checklists are useful in this way because, well, we’re fallible, absent minded, and novices.  They serve to reduce some level of variability in a process.

Second, they can help us develop a State of Nature.  PCI or the ISO are very nice checklists that, once you’re done, certifies that you have the existence of a certain amount of control.  Again, this serves to reduce some level of variability, comparing you to a “best practice”.

And so…..

They are both useful in each use - as long as the limitations therein are understood!   And that’s where we get into trouble.  Too many times we believe that checklists are a State of Knowledge.  Checklists allow for some limited analysis, just like the use of ordinal numbers to describe “risk” - they only serve to identify some level of variability, nothing more.

But outside of that they usually offer us no analytical function at all, they cannot provide a State of Knowledge and therefore, more succinctly, Checklists are dumb.

As slightly paranoid, skeptical and jaded risk management professionals, we know this to be true.  A PCI compliant company may or may not be at all “secure” or “risk-free” or even “risk-reduced”.  That’s an aspect of analysis that the checklist is some prior information for, but not nearly all the information we need for an analysis of risk or even a statement about the ability to control or resist.  We know an ISO certified organization did what they claim they do enough to at least fool an auditor once, but cannot arrive at any other State of Knowledge without more effort.

Make no mistake, the checklists we commonly deal with provide a very, very limited State of Knowledge.  Only analysis (with rigor and testing) will provide that.  And note that a State of Wisdom (what we’re really after, after all) is predicated on a strong State of Knowledge.

WHAT ARE YOU MANAGING TOWARDS, REDUX
So if checklists only provide a State of Nature, and are incapable of really giving us Knowledge or Wisdom - then let me encourage you to think about the amount of time you spend just getting a certain State of Nature and the relative return on that investment vs. the amount of time you spend in analysis and synthesis.  Is your time best spent mapping checklist to checklist - or is it better spent developing the analytics that allow us to synthesize wisdom?

AMAZE AND CONFUSE YOUR FRIENDS AUDITORS
Let me finish by encouraging you to have a frank discussion with those who perform your audit function.  You must really pin them down if they are out to give you any analysis at all - and when/if they do provide analysis - press them on what rigor they use to create a State of Nature, and then the means by which they create a State of Knowledge (that belief statement based on the State of Nature they see).

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed ­ and possibly, changed ­ any data within the DOC’s databases. It took me all of a minute to figure out how to download 10,597 records ­ SSNs and all ­ from their website.

Synopsis:Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #70, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on October 25, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• Programming notes:
• Dan???s new employment with Voxeo
• Dan at VON next week ??? Dean Elwood is doing a VoIPUser dinner ??? perhaps a Blue Box dinner as well?
• We hope you enjoyed Blue Box SE 21 with Phil Zimmermann ??? many thanks to Martyn Davies for helping with that.
• Reporters for some of the spring shows?  (we can probably get you press credentials??? if you are there)
• XSS attack and SQL injection via SIP against Asterisk
• The XSS attack against Linksys SPA-941 we discussed last week was picked up by Secure Computing which resulted in this SearchSecurity.com article: New Attack Methods Target Web 2.0, VoIP (last link sent to us by Rhodri Davies)
• Sipera released a range of vulnerabilities related to Vonage, Grandstream and more ??? note that the Vonage thread has been picked up by ZDNet???s Russell Shaw
• Wired: Phones Aren???t Safe Either, Hackers Say ??? also discussed in Network World and Russell Shaw We???ve toasted so many of these (VoIP) networks??? and Dustin Trammell???s blog (in the list of sessions he attended)
• SANS: Vishing, Skype, and VoIP-Based Fraud (sent in by Craig Bowser)
• CXO Today: The Phishing Epidemic
• PCWorld.CA: The eight most dangerous consumer technologies (Skype and consumer VoIP are #6 on page 2 )
• TMC Net: VoIP Peering in Search of a Viable Interconnect Business Model (note the comments about security toward the bottom)
• Cisco TechWise podcasts Session Initiation Protocol and Security (it???s on the page??? came out 10/18/07 )
• TechRepublic: Sanity check: Will Microsoft be your next phone company? (nice roundup of the MS announcements??? some of the comments are also interesting)
• Comcast
• AP: Comcast blocks some Internet traffic
• Ed Brill notes the impact on Notes/Domino traffic
• cnet post
• TorrentFreak: Comcast Throttles BitTorrent Traffic, Seeding Impossible
• P2PNet: Comcast impedes hi-speed file sharing
• Carnegie Mellon???s CyLab and Nortel Combine Efforts to Research Leading Security Technologies
• SearchVoIP.au: Avaya white paper: VoIP Security for Dummies
• - Upcoming shows:
  
  
  
  • Oct 24-25, New York, USA, Interop
    
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON
• Comment (email) from Dan Wing about episode 69 and the potential DDoS attack
• Comment (email) from Raul Siles about episode 66
• Comment (email) from Raul Siles about SANS VoIP Security course
• Two-year-anniversary:
  • Comment (audio) from Martyn Davies
  • Comment (audio) from Dean Elwood
  • Comment (audio) from Mike Wallace
  • Comment (audio) from Raul Siles (with Matrix inclusion)
  • Comment (audio) from Carsten Helmuth (cut off)
  • Comment (email) from Scott Tanner
  • Comment (email) from Shlomo Dubrowin
• - Drawing for the book
• - Review of the last week's traffic on the VOIPSEC public mailing list 


• - Wrap-up of the show


• 51:14 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #70, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on October 25, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• Programming notes:
• Dan’s new employment with Voxeo
• Dan at VON next week – Dean Elwood is doing a VoIPUser dinner – perhaps a Blue Box dinner as well?
• We hope you enjoyed Blue Box SE 21 with Phil Zimmermann – many thanks to Martyn Davies for helping with that.
• Reporters for some of the spring shows?  (we can probably get you press credentials… if you are there)
• XSS attack and SQL injection via SIP against Asterisk
• The XSS attack against Linksys SPA-941 we discussed last week was picked up by Secure Computing which resulted in this SearchSecurity.com article: New Attack Methods Target Web 2.0, VoIP (last link sent to us by Rhodri Davies)
• Sipera released a range of vulnerabilities related to Vonage, Grandstream and more – note that the Vonage thread has been picked up by ZDNet’s Russell Shaw
• Wired: Phones Aren’t Safe Either, Hackers Say – also discussed in Network World and Russell Shaw We’ve toasted so many of these (VoIP) networks… and Dustin Trammell’s blog (in the list of sessions he attended)
• SANS: Vishing, Skype, and VoIP-Based Fraud (sent in by Craig Bowser)
• CXO Today: The Phishing Epidemic
• PCWorld.CA: The eight most dangerous consumer technologies (Skype and consumer VoIP are #6 on page 2 )
• TMC Net: VoIP Peering in Search of a Viable Interconnect Business Model (note the comments about security toward the bottom)
• Cisco TechWise podcasts Session Initiation Protocol and Security (it’s on the page… came out 10/18/07 )
• TechRepublic: Sanity check: Will Microsoft be your next phone company? (nice roundup of the MS announcements… some of the comments are also interesting)
• Comcast
• AP: Comcast blocks some Internet traffic
• Ed Brill notes the impact on Notes/Domino traffic
• cnet post
• TorrentFreak: Comcast Throttles BitTorrent Traffic, Seeding Impossible
• P2PNet: Comcast impedes hi-speed file sharing
• Carnegie Mellon’s CyLab and Nortel Combine Efforts to Research Leading Security Technologies
• SearchVoIP.au: Avaya white paper: VoIP Security for Dummies
• - Upcoming shows:
  
  
  
  • Oct 24-25, New York, USA, Interop
    
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON
• Comment (email) from Dan Wing about episode 69 and the potential DDoS attack
• Comment (email) from Raul Siles about episode 66
• Comment (email) from Raul Siles about SANS VoIP Security course
• Two-year-anniversary:
  • Comment (audio) from Martyn Davies
  • Comment (audio) from Dean Elwood
  • Comment (audio) from Mike Wallace
  • Comment (audio) from Raul Siles (with Matrix inclusion)
  • Comment (audio) from Carsten Helmuth (cut off)
  • Comment (email) from Scott Tanner
  • Comment (email) from Shlomo Dubrowin
• - Drawing for the book
• - Review of the last week's traffic on the VOIPSEC public mailing list 


• - Wrap-up of the show


• 51:14 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.